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(57) The present invention provides a tarn per- resist- 
ant infonnation device for use with IC cards, etc. having 
high security. 

The tamper-resistant information device compris- 
es: means for inputting a signal; a storage unit for storing 
a program; an operation unit for performing predeter- 
mined data processing according to a program; and 
means for outputting a signal; wherein the program 
stored in the above storage unit includes one or more 
data processing instructions giving an execution direc- 
tion to the operation unit; whereby when the signal input 
from the above data inputting means is subjected to data 
processing, at least one of the above data processing 
instructions instructs an operation on a signal A and a 
signal B to be performed, where the signal B is used for 
a given calculation in data processing, the above oper- 
ation including the steps of: arbitrarily dividingthe signal 
A or B into pieces; performing a given operation on each 
piece of the divided signal and on the remaining undi- 
vided signal, separately; and adding all the operation re- 
sults to obtain the proper encrypted signal. 
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D scription 

BACKGROUND OF THE INVENTION 

[0001] The present invention relates to a tamper-re- 
sistant information processing device. It is particularly 
very effective when applied to cards such as the 10 card. 
[0002] An IC card is a device used for such purposes 
as to hold personal infomnation which should not be al- 
tered without permission, to encrypt data by use of a 
cryptographic key (which is secret information), or to de- 
crypt ciphertext. The IC card does not have any power 
source therein, but when it is inserted in a reader/writer 
for IC cards, the IC card is supplied with power and be- 
comes operable. When the IC card is in the operable 
state, it receives a command transmitted from the read- 
er/writer, and carries out a process such as transfer of 
data according to the command. 
[0003] Fig. 1 shows a basic conceptual configuration 
of an IC card in which an IC card chip 102 is mounted 
on a card 101 . As shown in the figure, an IC card gen- 
erally has disposed thereon a supply voltage terminal 
Vcc, a ground terminal GND, a reset terminal RST, an 
input/output terminal I/O, and a clock terminal CLK. The 
positions of these terminals are specified in ISO Inter- 
national Standard 7816. The IC card receives power 
from the reader/writer and exchanges data with the 
reader/writer. Such communication between the IC card 
and the reader/writer is described, for example, on page 
41 of a book entitled "SMARTCARD HANDBOOK" au- 
thored by W. RankI and W. Effing and published by John 
Wiley & Sons in 1997. 

[0004] The configuration of the semiconductor chip 
mounted on an IC card is basically the same as that of 
the ordinary microcomputer. Fig .2 is a block diagram 
showing the basic configuration of the semiconductor 
chip mounted on an IC card. As shown in Fig. 2, the 
semiconductor chip for cards has a central processing 
unit (CPU) 201, a memory device 204, an input/output 
(I/O) port 207, and coprocessor 202. Some systems do 
not employ the coprocessor. The CPU 201 is a device 
for performing logic and arithmetic operations, while the 
memory device 204 stores programs and data. The in- 
put/output port is a device for communicating with the 
reader/writer. The coprocessor performs cryptographic 
processing itself or operations necessary for crypto- 
graphic processing at high speed. For example, types 
of coprocessors employed include a particular operation 
device for perfonning a residue operation for RSA and 
a cryptographic device for perfonning a rounding proc- 
ess for DES. There are many IC card processors which 
do not have any coprocessors. A data bus 203 is a bus 
connecting one device to another. 
[0005] The memory device 204 includes such mem- 
ori s as a ROM (Read Only Memory), a RAM (Random 
Access Memory), and an EEPROM (El ctric Erasable 
Programmable Read Only Memory) Information stored 
in a ROM cannot be altered, and therefore ROMs are 



used to store mainly programs. Information stored in a 
RAM, on the other hand, can be freely rewritten, but the 
stored information disappears once the power supply is 
interrupted. That is, since the power supply to an IC card 

5 is interrupted when the IC card is removed from the 
reader/writer, the RAM can no longer hold its contents 
afterthat. The EEPROM, in contrast, can continue hold- 
ing its contents even if its power supply is interrupted. 
Therefore, the EEPROM is used for storing data which 

10 it is necessary to rewrite, and hold even when the IC 
card is removed from the reader/writer For example the 
number of the remaining call units of a prepaid tele- 
phone card is rewritten each time the card is used, and 
the call unit data must continue to be held even afterthe 

IS card is removed from the reader/writer. This is why the 
call unit data of the prepaid card is held in an EEPROM. 

SUMMARY OF THE INVENTION 

20 [0006] The present invention provides a tamper-re- 
sistant information device for use with cards having high 
security. 

[0007] Specifically, an object of an embodiment ac- 
cording to the present invention is to reduce the corre- 

25 lation between the contents of data processing opera- 
tions and consumed currents in a card component such 
as the IC card chip. Reducing the congelation between 
the contents of the data processing operations and th 
consumed currents in the chip makes it difficult to esti- 

30 mate what is being processed in the IC card chip and 
how, and to derive the cryptographic key from the ob- 
served waveforms of the consumed currents. Thus, the 
present invention provides cards with high security. 
[0008] Since IC cards have an IC card chip mounted 

35 thereon which is capable of holding programs and im- 
portant information, they are used to store important in- 
formation or internally perform cryptographic process- 
ing. It has been conventionally considered that the dif- 
ficulty of breaking a code stored in an IC card is the same 

40 asthedifficulty of deriving its encryption algorithm. How- 
ever, it is pointed out that the details of the encryption 
processing operation and the cryptographic key may be 
derived by observing and analyzing the current con- 
sumed during the encryption process in the IC card, 

45 which may be easier than deriving of the encryption al- 
gorithm. The consumed current is obtained by measur- 
ing the current supplied from the reader/writer to the IC 
card. The details of this attack and its danger are de- 
scribed, for example, on page 263 (8.5.1 .1 Passive Pro- 

50 tective Mechanisms) of the book "SMARTCARD HAND- 
BOOK" authored by W. RankI & W. Effing and published 
by John Wiley & Sons. The following specifically de- 
scribes the attack. Each CMOS constituting an IC card 
chip consumes a current when its output state switches 

55 from "1 " to "0" or vice versa. Particulariy, a larg current 
flows through the data bus 203 when the bus value 
changes from 1 to 0 or vice versa. The current of the 
bus driver, the wiring employed, and the capacitance as- 
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sociated with transistors connected to the wiring cause 
such a current to flow. Therefore, it is possible to identify 
what is operating in the IC card chip by observing the 
consumed current. 

[0009] Fig. 3 shows single-cycle wavefonns of cur- 
rents consumed in an IC card chip. The current wave- 
forms are different from one another as indicated by ref- 
erence numerals 301 and 302. depending on the proc- 
essed data. More specifically, such a difference occurs 
depending on data flowing through the bus 203 and data 
processed in the central processing unit 201 . 
[0010] The coprocessor 202 can perfonn, for exam- 
ple, 512-bit modular multiplication in parallel with the 
CPU processing. This means that it is possible to ob- 
serve the wavef omn of a current different from that in the 
CPU for a long time. Therefore, the number of opera- 
lions performed by the coprocessor can be measured 
by observing its particular current waveform. If the 
number of operations performed by the coprocessor has 
some relationship to the cryptographic key, it might be 
possible to derive the key from the number of the oper- 
ations. 

[0011] Further, if which operation is performed or what 
is operated by the coprocessor changes depending on 
the cryptographic key, the dependency might be found 
by observing the corresponding change in the con- 
sumed current, and the cryptographic key might be de- 
rived. 

[0012] Similarly, in the CPU, the influence of each bit 
value of the cryptographic key on processed data might 
be obtained by changing the data a plurality of times and 
observing the corresponding change in each consumed 
current. It might be possible to derive the cryptographic 
key by statistically processing the waveforms of these 
consumed cun-ents. 

[0013] The ideas on which embodiments of the 
present invention are based include: dividing a process 
performed in an IC card so that attackers cannot specify 
the process as a whole; and inserting a dummy process. 
These methods make it difficult to identify the original 
process and derive the cryptographic key from the 
waveforms of the consumed currents. 
[0014] A tamper-resistant device as represented by 
the IC card chip is regarded as an infomnation process- 
ing device having one or more data processing means 
which each comprise: a program storage unit for storing 
a program; a memory unit having a data storage unit for 
storing data; and a central processing unit (CPU) for per- 
forming a predetermined process to process data ac- 
cording to the program; wherein the program is com- 
posed of process instructions forgiving an execution di- 
rection to the CPU. 

[0015] A method according to an embodiment of the 
present invention for scrambling the correlation be- 
tween processed data and consumed currents in an IC 
card chip is to divide the data into pieces, and instead 
of performing a given op ration(s) on the entire data as 
a whole, perform another different operation(s) on each 



piece of the divided data so as to still produce th same 
results as those that will be obtained if the given oper- 
ation is performed on the entire data as a whole. As a 
result, the essential operation(s) can be concealed. 
5 [0016] Specifically, pieces of scramble data R1, 

R2 and Rn are prepared. Original data D1 to be 

processed is divided into data blocks D1[1], D1[2] 

and D1[n]. 

[0017] The data blocks and scramble data are used 

10 to produce scrambled data blocks x[1 ], x[2] and x[n] 

by employing, for example, one of the following meth- 
ods. 

(1) logical AND operation 
15 (2) x[1]=0, x[2]=x-v 

(3) x[1]=x AND R, x[2]=x AND -R, where -R is the 
inverse of R 

[0018] That is, by using the scramble data R1 , R2, .... 

20 and Rn, where R1 XOR R2 XOR ... XOR Rn=2^L-1 (L 
is the bit length of D1 ), the data block (original data) 01 
is divided so that D2[1]=D1 AND R1, D2[2]=D1 AND 
R2, and D2[n]=D1 AND Rn, where n is an integer. In 
this case, the equation D2[1]+D2[2]+...+D2[n]=DI holds. 

25 In addition to the above logical AND operation, an ordi- 
nary addition operation or subtraction operation can be 
used for this purpose. A ring multiplication operation is 
performed on values obtained as a result of the above 
addition operation or subtraction operation to produce 

30 the final proper value. Since the randomly divided data 

blocks D2[1], D2[2] and D2[n] are used instead of 

directly using the original data 01 , it is difficult to deter- 
mine the original data D1 from infonnation included in 
the observed current waveform alone. When a plurality 

35 of waveforms are statistically processed (for example, 
averaged to remove noise components from them), the 
characteristics of each waveform are eliminated, which 
further makes it difficult to determine original data (ef- 
fectively hiding original information). It should be noted 

40 that the above randomly divided data may be produced 
through a division operation using pseudorandom num- 
bers. 

[0019] Another method for reducing the correlation 
between the contents of the data processing operation 

45 and the consumed current is to change the original data 
to be processed, and instead of perfomning a given op- 
eration on the original data, perform another different 
operation on the changed data so as to still produce the 
final proper results but consume a current different from 

50 that which will be consumed if the given operation is per- 
formed on the original data. 

[0020] Specifically, random scalar data R for scram- 
bling other data is prepared. Then, by using the pre- 
pared random scalar data R and a particular element V, 
55 the elementto be processed is Chang dfromxtox+R*V, 
where th symbols "+" and denote ordinary addition 
and multiplication operations, respectively. The element 
V has the characteristic that whether or not the element 



3 



BNSDOCID: <EP n34653A2_L> 



5 



EP 1 134 653 A2 



6 



V is added to data, an operation on the data produces 
the same results as if the element V were not added to 
the data. The above x+R'V can be used as an exponent 
or a scalar to scramble statistical processing of wave- 
form observation data of consumed currents. It should 
be noted that the above element V acts as a number of 
1 in a multiplication operation, and 0 in an addition op- 
eration. For example, when N=pq, where N is the mod- 
ulus of a public key in the RSA cryptosystem, the ele- 
ment V is a multiple of (p-1 )(q-1 ) . When a scalar multiple 
of a base point on an elliptic curve Is used, the element 

V is a multiple of the order of the base point. 

[0021] Further, randomly determining the order in 
which each piece of the divided data is processed fur- 
ther makes it difficult to find the correlation between the 
contents of the data processing operation and the con- 
sumed current. 

[0022] Still further, combining all the above methods 
for scrambling encrypted data Is effective in further re- 
ducing the correlation between the contents of the data 
processing operation and the consumed current. 
[0023] The present invention can be applied to infor- 
mation hiding for modu lar multiplication and modu lar ex- 
ponentiation in the RSA cryptography. Furthermore, in 
the elliptic curve cryptography, it can be applied to infor- 
mation hiding for multiplication and division in underly- 
ing fields, and the calculation of a scalar multiple of a 
base point. In modular multiplications, the logical AND 
operation described above is used to divide data, and 
then the distributive law is used to obtain the final proper 
result from the divided data. In the modular exponenti- 
ation and the calculation of a scalar multiple of a base 
point, the exponent is divided by means of ordinary sub- 
traction, then modular exponentiation is performed on 
each piece of the divided exponent, and the product of 
the operation results is calculated to obtain the final re- 
sult (proper answer). These operations are effective in 
scrambling encrypted data. It should be noted that the 
above modular multiplications include multiplication in 
a prime field. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0024] 

Fig. 1 is a plan view of an IC card and Its terminals; 
Fig. 2 is a block diagram showing the basic config- 
uration of a microcomputer; 

Fig. 3 is a diagram showing waveforms of currents 
consumed in an IC card; 

Fig. 4 is a flowchart showing a process of a modular 
exponentiation; 

Fig. 5 is a flowchart showing a process of scram- 
bling currents in an IC card by dividing the input da- 
ta; 

Fig. 6A is a flowchart showing the first part of an- 
other process of scrambling currents in an IC card 
by dividing the input data; 



Fig. 6B is a flowchart showing the second part of 
the above another process of scrambling currents 
in an IC card by dividing the input data; 
Fig. 7A is a flowchart showing the first part of a proc- 
5 ess of scrambling currents in an IC card by dividing 
the key (secret exponent); 

Fig. 7B is a flowchart showing the second part of 
the above process of scrambling currents in an IC 
card by dividing the key (secret exponent); 

10 Fig. 8A is a flowchart showing the first part of an- 
other process of scrambling cun'ents in an IC card 
by dividing the key (secret exponent); 
Fig. 8B is a flowchart showing the second part of 
the above another process of scrambling currents 

15 in an IC card by dividing the key (secret exponent); 
Fig. 9 is a flowchart showing a method for scram- 
bling currents in an ICcard by using exponents hav- 
ing different bit patterns; 

Fig. 1 0 is a diagram used to illustrate addition on an 

^0 elliptic curve; 

Fig. 11 is a flowchart showing a process of calculat- 
ing a scalar multiple of a point P on an elliptic curve; 
Fig. 12A is a flowchart showing the first part of a 
process of calculating a scalar multiple of a point on 

25 an elliptic curve, wherein a given scalar is divided 
and used for the calculation; 

Fig. 1 28 is a flowchart showing the second part of 
the above process of calculating a scalar multiple 
of a point on an elliptic curve, wherein a given scalar 

30 is divided and used for the calculation; 

Fig. ISA is a flowchart showing the first part of an- 
other process of calculating a scalar multiple of a 
point on an elliptic curve, wherein a given scalar is 
divided and used for the calculation; 

55 Fig. 138 is a flowchart showing the second part of 
the above another process of calculating a scalar 
multiple of a point on an elliptic cur^e, wherein a 
given scalar is divided and used for the calculation; 
Fig. 14 is a flowchart showing a method for scram- 

40 bling currents in an IC card by using scalars having 
different bit patterns; 

Fig. 15A is a flowchart showing the first part of a 
process of randomly determining the order of proc- 
ess steps after input data is divided; 

45 Fig. 158 is a flowchart showing the second part of 
the above process of randomly detemnining the or- 
der of process steps after input data is divided; 
Fig, 16A is a flowchart showing the first part of a 
process of randomly determining the order of proc- 

50 ess steps after a given exponent is divided; 

Fig. 168 is a flowchart showing the second part of 
the above process of randomly detemnining the or- 
der of process steps after a given exponent is divid- 
ed; 

55 Fig. 1 7 is a flowchart showing a routine of a modular 
multiplication for every two bits of input data; 
Fig. 1 8 is a flowchart showing another process of 
randomly determining the order of operations after 
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a given exponent is divided; 
Fig. 1 9 is at lowchart showing a process of randomly 
determining the order of operations after a given 
scalar is divided; 

Fig. 20 is a flowchart showing a routine of perform- 
ing a scalar multiple operation for every two bits of 
input data; and 

Fig. 21 is a schematic diagram showing the config- 
uration of a card system. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0025] This specification describes various embodi- 
ments of the present invention. Therefore, to make it 
easy to understand the various aspects of the present 
invention, description will be first made of the outline of 
the basic ideas on which the various embodiments of 
the present invention are based by using a representa- 
tive RSA cryptographic method as an example before 
explaining specific embodiments of the present inven- 
tion. Then, major aspects of embodiments of the present 
invention will be outlined. These aspects are further de- 
scribed in detail later. 

[0026] To explain how to encrypt data (plaintext) to be 
transmitted, the following description uses, as an exam- 
ple, general RSA encryption, which is a base for all en- 
cryption methods, 

[0027] The general RSA encryption can be expressed 
by the following formula, 

y=R® niod N, 

where y is ciphertext, R is plaintext, e is a public expo- 
nent, and N is a public modulus. Further, the public ex- 
ponent e is also expressed as 

ex mod 0(N)=1 , 

where O (N)=(p-1 )(q-1 ), which is the Euler's totient func- 
tion. 

[0028] The receiver of the ciphertext decrypts it using 
the following fomiula. 

R=y** mod N. 

where y is the ciphertext, x is a secret exponent^ and N 
is the public modulus. The secret exponent x is held 
within the card, specifically, in the 10 chip mounted on 
the card. 

[0029] The present invention is based on the idea that 
the information receiving side divides the ciphertext y 
and/or the secret exponent x and scrambles the divided 
data, and then combines the divided data to restore the 
plaintext R. The present Invention provides methods for 



dividing the ciph rtext y or the secret exponent x, and 
scrambling them. 

[0030] The gist of each preferred embodiment ac- 
cording to the present invention is described and clas- 

5 sified along with its specific example as follows. 

[0031] Next, each preferred embodiment of the 
present invention will be outlined. 
[0032] An information processing device according to 
a first embodiment of the present invention comprises: 

10 means for inputting a signal; a storage unit for storing a 
program; an operation unit for performing predeter- 
mined data processing according to a program; and 
means for outputting a signal; wherein the program 
stored in the above storage unit includes one or more 

75 data processing instructions giving an execution direc- 
tion to the operation unit; whereby when the signal input 
from the above data inputting means is subjected to data 
processing, at least one of the above data processing 
instructions instructs calculation of the expression AOB 

20 to be performed, where (and hereinafter) the character 
"A" denotes a signal, the character "B" denotes a signal 
used for a given calculation in data processing, and the 
symbol "C denotes a given operation, the above calcu- 
lation to be performed including the steps of: arbitrarily 

25 dividing A into pieces A[1], A[2], and A[n], where A=A 
[1]-i-A[2]+ ...+A[n], and n is an integer equal to or more 
than 1 ; by using the above pieces A[1], A[2], and A 
[n], and the above signal B used for a given calculation 
in data processing, calculating each of the equations B 

30 [1 ]= A[1 ] O B. B[2]= A[2] CS and B[n]= A[n] O B to ob- 

tain B[1]. B[2], and B[n], separately; and calculating 
the addition B[1]+B[2]+...+B[n], where n is an integer 
equal to or more than 1 . 

[0033] An infomnation processing device according to 

35 a second embodiment of the present invention compris- 
es: means for inputting a signal; a storage u nit for storing 
a program; storage means for storing a result of a pre- 
detemnined calculation; an operation unit for performing 
predetermined data processing according to a program; 

40 and means for outputting a signal; wherein the program 
stored in the above storage unit includes one or more 
data processing instructions giving an execution direc- 
tion to the operation unit; whereby when the signal input 
from the above data inputting means is subjected to data 

45 processing, at least one of the above data processing 
instructions instructs calculation of the expression AOB 
to be performed, where (and hereinafter) the character 
"A" denotes a signal, the character "B" denotes a signal 
used for a given calculation in data processing, and the 

50 symbol "O' denotes a given operation, the above calcu- 
lation to be performed including the steps of: arbitrarily 
dividing B into pieces B[1], B[2], and B[n], where B=B 
[1]+B[2]+...+B[n], and n is an integer; by using the abov 
signal A and the above pieces B[1], B[2], and B[n], 

55 calculating each of the equations A[1]=AOB[1], A[2] 
=AOB[2]. and A[n]=AOB[n] to obtain A[1], A[2], 
and A[n], separat ly; and calculating the addition A[1] 
+A[2]+...+A[n], where n is an integer. 
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[0034] Further, an information processing device ac- 
cording to a third embodiment ot the present invention 
conabines the basic ideas of the above first and second 
embodiments as follows. When the signal A and the sig- 
nal B are used to calculate the expression AOB, both of 5 
them are divided before a given operation (indicated by 
the symbol "C) is perfomned upon them. 
[0035] That is, the third embodiment calculates AOB 
by the equation A0B=(A[1 ]+A[2K. ..-t-A[m]) O (B[1 ]+B[2] 
+. . .+B[n]) . The operation (A[1 ]-i-A[2]+. . .-»-A[m]) O (B[1 ]+B 
[2]-i-...+B[n]) can be expanded as follows. 

(A[1]+A[2]+...+A[m]) O (B[1KB[2]+...+B[n]) 
=A[1]0(B[1]+B[2]+..,+B[n]) 
+Al2]0(B[1]+BI2]+...+B[n]) 
+A[m] 0(B[l]+B[2]+...+B[n]) 
=A[1]OB[1]+A[1] OB[2]+...A[1l OB[n] 
+A(2] O B[1 ]+A[2] O B[2]+...A[21 O B [n] 
+A(m) O B[1]+A[m] O B[2]+...A[m] O B[n]. 

[0036] Accordingly, the above operation is expressed 
as Z A[i) O B[j] (where i=1,2...,and m and j=1 ,2,...,and 
n, and the symbol indicates summation operation). 
This method is advantageous with n or m set to a rela- 
tively small value. Because setting a large value for n 
and m makes the operation process long since both sig- 
nals A and B are to be divided in this method. That is, 
whether or not this method is advantageous depends 
on the values set for n and m. It should be noted that 
when both signals A and B are divided, i^tl and j^1 . 
[0037] When the above first, second, or third embod- 
iment is applied to communications using a card, the sig- 
nal A corresponds to information to be transmitted, 
namely, plaintext, and the signal B corresponds to key 
infomnation. In the following descriptions of embodi- 
ments of the present invention, the signals A and B cor- 
respond to plaintext and key information, respectively, 
used for cards unless othenwise mentioned. 
[0038] Algebra dictates that the addition operation V 
and the multiplication operation "O* as employed In the 
above first, second, and third embodiments are regard- 
ed as operations in a commutative ring S. The commu- 
tative ring S has two operations, which are the addition 
operation and the multiplication operation. Integer oper- 
ations are often used as these operations. 
[0039] This specification uses concepts and terms 
used by mathematics, especially algebra, to describe 
various operations employed in the above three pre- 
ferred embodiments and the embodiments of the 
present invention described below. The following em- 
bodiments according to the present invention differ from 
one another in how to divide key infomnation. 
[0040] An information processing device according to 
a fourth mbodiment of the present invention compris- 
s: m ans for inputting a signal; a storage unitforstoring 
a program; storage means for storing a result of a pre- 
detemnined calculation; an operation unit for perfonning 
predetermined data processing according to a program; 



and means for outputting a signal; wherein the program 
stored in the above storage unit includes one or more 
data processing instructions giving an execution direc- 
tion to the operation unit; whereby when the signal input 
from the above data inputting means is subjected to data 
processing, at least one of the above data processing 
instructions instructs calculation of the expression A'^k 
to be performed, where (and hereinafter) the character 
"A" denotes a signal, the character "k" denotes a signal 
used for a given calculation in data processing, and A^k 
= AOAO... OA (the right side of the equation including 
k number of A's and "k-1" number of "Cs, which each 
denote a given operation), the above calculation to be 
performed including the steps of: dividing k into pieces 
k[11, k[2], k[3], and k[n], where k=k[1]+k[2]-i-k[3]+...+k 
[n], and n is an integer; by using the above signal A and 
the above pieces k[1], k[2], k[3], .... and k[n], calculating 

each of the equations h[1]=A^k[1], h[2]=A^k[2] and 

h[n]=A^k[n] to obtain h[1], h[2], and h[n], separately; 
and calculating the expression A^k by the equation 
A^k=h[1] Oh[2] O... Oh[n]. 

[0041 ] Algebra dictates that the above operation O as 
employed in the present embodiment is regarded as an 
operation in a semigroup S. The semigroup has one op- 
eration. An integer operation is often used as the abov 
operation. 

[0042] The above algebraic consideration concerning 
the operation employed in the present embodiment can 
be applied to similar operations appearing in the follow- 
ing descriptions in this specification. 
[0043] An information processing device according to 
a fifth embodiment of the present invention comprises: 
means for inputting a signal; a storage unit for storing a 
program; storage means for storing a result of a prede- 
termined calculation; an operation unit for perfomiing 
predetermined data processing according to a program; 
and means for outputting a signal; wherein the program 
stored in the above storage unit includes one or more 
data processing instructions giving an execution direc- 
tion to the operation unit; whereby when the signal input 
from the above data inputting means is subjected to data 
processing in which the expression A^x is to be calcu- 
lated, where the characters "A" denotes a signal, the 
character "x" denotes a signal used for a given calcula- 
tion in data processing, and A^x= AOAO... OA (the right 
side of the equation including x number of A's and "x-1 " 
number of "O's, which each denote an operation), at 
least one of the above data processing instructions in- 
structs calculation of the expression A^(x+T) to be per- 
formed instead, where A^T=e. 

[0044] Algebra dictates that the above operation O as 
employed in the present embodiment is regarded as an 
operation in a monoid S. The monoid is a semigroup 
having the identity element e. An integer operation is 
often used as the above operation. The above algebraic 
consideration concerning the operation employed in the 
present embodiment can be applied to similar opera- 
tions appearing in the following descriptions in this spec- 
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if (cation. 

[0045] Next, description will be made of information 
processing methods according to the present invention. 
[0046] An infomnation processing method according 
to a sixth embodiment of the present invention employs: 
inputting means for inputting an information signal; stor- 
age means for storing a program for a predetermined 
operation; and an output unit for outputting a calculation 
result; wherein the above method uses an information 
signal A input from the above inputting means and a sig- 
nal B to calculate the expression AOB (the symbol "O' 
indicates a multiplication operation) according to steps 
stored in the above storage means, the above steps 
comprising the steps of: arbitrarily dividing the above In- 
formation signal A into pieces A[1], A[2], and A[n], 
where A=A[1]-i-A[2]+...+A[n], and n is an integer; by us- 
ing the above pieces A[1], A[2], .... and A[n] and the 
above signal B, performing each of the equations B[1] 
= A[1 ] O B, B[2]=A[2] O B, .... and B[n]=A[n] O B to obtain 
B[1], B[2], and B[n], separately, where n is an integer 
equal to or more than 1 ; and calculating the expression 
AO B by the equation ACe= B[1]+B[2]+...+B[n], where 
the symbol "+" indicates an addition operation. 
[0047] It should be noted that the above signal B is 
used for a transformation calculation of the information 
signal A. 

[0048] An infomnation processing method according 
to a seventh embodiment of the present invention em- 
ploys: inputting means for inputting a signal to be trans- 
mitted; storage means for storing a program for a pre- 
detennined operation; and an output unit for outputting 
a calculation result; wherein the above method uses an 
infonnation signal A input from the above inputting 
means and a signal B to calculate the expression AOB 
(the symbol "O* indicates a multiplication operation) ac- 
cording to steps stored in the above storage means, the 
above steps comprising the steps of: arbitrarily dividing 
the signal B used for the above transformation calcula- 
tion into pieces B[1], B[2], and B[n], where B=B[1]+B 
[2]+...+B[n], and n is an integer; by using the above in- 
formation signal A and the above pieces B[1], B[2], .... 
and B[n], calculating each of the equations A[1]=AC© 
[1], A[2]=AOBl2], .... and A[n]=AOB[n] to obtain A[1], A 
[2], .... and A[n], separately, where n is an integer; and 
calculating the expression AOB by the equation AOB= 
A[1]+A[2]+...+A[n], where the symbol "O" indicates a 
multiplication operation and the symbol indicates an 
addition operation. 

[0049] An information processing method according 
to a eighth embodiment of the present invention com- 
bines the basic ideas of the above sixth and seventh 
embodiments as follows. When the signal A and the sig- 
nal B are used to calculate the expression AOB, both of 
them are divided before a given operation (indicated by 
the symbol "C) is perfomned upon them. 
[0050] That is, the eighth embodiment calculates 
AOB by the equation AOB=(A[1 ]+A[2]-i-. . .4-A[m]) O (B[1 ] 
+B[2]+...+B[n]). The operation (A[1]+A[2]+...+A[m])0(B 



[1]-i-B[2]4-...-t-B[n]) can be expanded as follows. 
(At1]+A[2]-h...-!-A[m]) O (B[1]+B[21+...+B[n]) 

5 

=A[1] 0(B[1]+B[2]+...+B[n]) 



+A[2] O (B[1]+B[2]+...+B[n]) 



-i-A[m] O (B[1]+B[2]+...-^B[n]) 



=A[1] O B[1]+A[1] O B[2]4-..-A[1] O B[n] 



+A[2] O B[1]+A[2] O B[2]+...A[2] O B[n] 

20 

-f-A[m] O B[1]+A[m] O B[2]+...A[m] O B[n]. 

[0051 ] Accordingly, the above operation is expressed 

25 as S A[!] OB[j] (where i=1, .... and m, andj=1, and n, 
and the symbol "X" indicates summation operation). As 
can be seen from the above expression, if i=1 , only the 
signal B is divided, if j=1. on the other hand, only the 
signal A is divided. 

30 [0052] This method is advantageous with n or m set 
to a relatively small value. Because setting a large value 
for n and m makes the operation process long since both 
signals A and B are to be divided in this method. That 
is, whether or not this method is advantageous depends 

35 on the values set for n and m. 

[0053] An information processing method according 
to a ninth embodiment of the present invention lets in- 
formation on the information transmitting side and a sig- 
nal k be elements A and k, respectively, in a semigroup 

40 S' adopted by this information processing method and 
performs calculation of the expression A^k, where 
A^k=AAAA ...AA(the right side of the equation including 
k number of A's and "k-1" number of "A"s, which each 
denote an operation in the semigroup S"), the above cal- 

45 culation including the steps of: arbitrarily dividing k into 
pieces k[1], k[2], k[3], and k[n], where k=k[1 ]+k[2]+k 
[3]+...k[n], and n is an integer equal to or more than 1 ; 
by using the above plaintext A and the above pieces k 
[1], k[2], k[3], and k[n], calculating each of the equa- 

50 tions h[1]=AAk[1], h[2]=AAk[2], and h[n]=A'^k[n] to ob- 
tain h[1], h[2], and h[n], separately; and calculating 
the expression A^k by the equation A^k= h[1]A h[2]A... 
A h[n] , where the symbol "A" denotes an operation in the 
semigroup S*. 

55 [0054] An information processing method according 
to a tenth embodiment of the present invention lets in- 
formation on the information transmitting side and a sig- 
nal k be elements A and x, respectively, in a monoid S" 
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(a semigroup having the identity element e) adopted by 
this infomnation processing method, wherein when the 
expression A'^x is to be calculated, where A^x= AOAO... 
OA (the right side of the equation including x number of 
A's and "x-l " number of "0"s, which each denote an op- 5 
eration in the monoid S"), the above information 
processing method performs calculation of the expres- 
sion A'^(x+T) instead, where A^T=e. 
[0055] An eleventh embodiment of the present inven- 
tion is an information processing method (device) which 
is a modification of the above first, second, third, or 
fourth embodiment, wherein the above S, S', or S" is a 
commutative ring (also a semigroup) of residue classes 
modulo N (N is a positive integer); the addition operation 
is addition modulo N, that is, A+B=(A+B) mod N; and 
the above multiplication operation O, the operation A, or 
the operation 0 (in the following description of the elev- 
enth embodiment, all of the above three operationsO, 
A, and 0 are represented byO) is a modular multiplica- 
tion modulo N. that is, AOB=A*B mod N. 
[0056] A twelfth embodiment of the present invention 
is an information processing method which is a modifi- 
cation of the above sixth or seventh embodiment, 
wherein the above S, S' or S" is a Mordell-Weil group G 
(E/Fq) for an elliptic curve E in a finite field Fq, where 
q=p^n and p is a characteristic (a prime number), and 
the above operation A or 0 is addition in the Mordell-Weil 
group G (E/Fq). 

[0057] The following embodiments relate to specific 
methods for dividing the above signal A or B. It should 
be noted that each of the following embodiments shows 
both an information processing method and an infonna- 
tion processing device to sinnplify this specification. 
[0058] A thirteenth embodiment of the present inven- 
tion is an information processing method or an infonna- 
tion processing device which is a modification of the 
above eleventh embodiment, wherein when the modu- 
lar multiplication A'B mod N is performed, B is divided 

such that B[1]=B AND R. B[2]=B AND --R, B[3]=0 

and B[n]=0, where R is an integer and --R is its bit in- 
verse. 

[0059] A fourteenth embodiment of the present inven- 
tion is an infomnation processing method or an informa- 
tion processing device which is a modification of the 
above eleventh embodiment, wherein when the modu- 
lar multiplication A*B mod N is performed, B is divided 
such that B[1]=V, B[2]=B-V, B[3]=0, .... and B[n]=0, 
where V is an integer equal to or less than B, and n is 
an integer. 

[0060] A fifteenth embodiment of the present inven- 
tion is an information processing method or an infomna- 
tion processing device which is a modification of the 
above eleventh embodiment, wherein when the modu- 
lar multiplication A^x mod N is performed, x is divided 
such that x[1 ]=x AND R, x[2]=x AND -R, x[3]=0, and 
x[n]=0, where R is an integ r and —R is its bit inverse, 
and n is an integer. 

[0061] A sixteenth embodiment of the present inven- 



tion is an information processing method or an informa- 
tion processing device which is a modification of the 
above eleventh embodiment, wherein when the opera- 
tion A^x mod N is performed, x is divided such that x[1] 
=V, x[2]=x-V, x[3]=0, .... and x[n]=0. wherein V is a ran- 
dom number equal to or less than x, and n is an integer. 
[0062] A seventeenth embodiment of the present in- 
vention is an infonnation processing method or an infor- 
mation processing device which is a modification of the 
above thirteenth, fourteenth, fifteenth, and sixteenth 
embodiments, wherein the integer R or V is changed for 
each calculation. More specifically, the calculation is 
performed at a step branching from a step at which a 
decision is made. And each time the calculation is per- 
formed after the decision step, the integer R or V to be 
used for the calculation is changed. This an^angement 
enhances the security. 

[0063] An eighteenth embodiment of the present in- 
vention is an information processing method or an infor- 
mation processing device which is a modification of the 
above fifth embodiment, wherein S is a group of residu 
classes modulo N (N is a positive integer); the operation 
O is a modular multiplication modulo N (that is, 
AOB=A*B mod N); and the above T is Sf(N), that is, a 
multiple S of f(N), where f(N) is the Euler's totient func- 
tion, which indicates the number of integers which are 
selected from 1 , 2, 3, and N, and which are mutually 
prime to N, and S is a non negative integer. 
[0064] A nineteenth embodiment of the present inven- 
tion is an information processing method or an informa- 
tion processing device which is a modification of the 
above eighteenth embodiment, wherein the above non- 
negative integer S is changed for each calculation. More 
specifically, the calculation is perfomied at a step 
branching from a step at which a decision is made. And 
each time the calculation is performed after the decision 
step, the nonnegative integer S to be used for the cal- 
culation is changed. This arrangement enhances the se- 
curity. 

[0065] Next, description will be made of embodiments 
of the present invention which use elliptic curves. 
[0066] A twentieth embodiment of the present inven- 
tion is an information processing method or an informa- 
tion processing device which is a modification of the 
above twelfth embodiment, wherein when an integer R 
and its bit inverse — R are used to calculate kP (which 
is a scalar multiple k of P, where k is an integer and P is 
a point on an elliptic curve E), the twentieth embodiment 
divides k such that k=k[1]+k[2]+kI3]+.„+k[n], where k[1] 
=k AND R, k[2]=k AND -R, and k[3]=k[4]=...=k[n]=0, 
and n is an integer. 

[0067] A twenty-first embodiment of the present in- 
vention is an information processing method or an infor- 
mation processing d vice which is a modification of the 
above twelfth embodiment, wher in when an integer V 
equal to or less than k is us d to calculat kP (which is 
a scalar multiple k of P, where k is an integer and P is a 
point on an elliptic curve E), the twenty-first embodiment 
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divides k such that k=k[1]+k[2]+k[3]4-...-»-k[n], where k[1] 
=V, k[2]=k-V. and k[3]=k[4]=,..=k[n]=0, and n is an inte- 
ger equal to or more than 1 . 

[0068] A twenty-second embodiment of the present 
invention is an infomnation processing method or an in- 
formation processing device which is a modification of 
the above twelfth embodiment, wherein the above S is 
set to the Mordell-Weil group G (E/Fq) for the elliptic 
curve E in the finite field Fq, where q=p^n and p is a 
characteristic (a prime number), and the operation O is 
addition in the Mordell-Weil group G (E/Fq). With this 
arrangement, when kP (which is an integer multiple k of 
R where P is a point on the elliptic curve E) is calculated, 
the twenty-second embodiment calculates kP by the 
equation kP=(k+SR)P, where R is the order of the point 
P, that Is, RP=0 (the point at infinity), and S is an integer. 
[0069] In the preferred embodiments of the present 
invention, It Is preferred to change each piece of infor- 
mation used for transformation calculation at all corre- 
sponding steps included in each calculation process 
perfonned after a decision step. In addition, the above 
change is typically made for each iteration. However, it 
is possible to change the information only at a specific 
stop. There are several methods for changing the trans- 
formation calculation, such as changing the information 
to be used itself, and changing the order of the calcula- 
tion. The following embodiments of the present inven- 
tion provide these methods. 

[0070] A twenty-third embodiment of the present in- 
vention is an infonnation processing method or an infor- 
mation processing device which is a modification of the 
above twentieth embodiment and twenty-first embodi- 
ment, wherein the value of the integer R or V is changed 
for each corresponding calculation process. 
[0071] A twenty-fourth embodiment of the present in- 
vention is an information processing method or an infor- 
mation processing device which is a modification of the 
above twenty-third embodiment, wherein the value of 
the integer S is changed for each corresponding calcu- 
lation process. 

[0072] A twenty-fifth embodiment of the present in- 
vention is an infonnation processing method or an infor- 
mation processing device which is a modification of the 
above first, second, and third embodiments, wherein 
when B[1], B[2], B[3], and B[n] which are obtained as 
a result of dividing B are each processed in a separate 
calculation process, the order of the contents of each 
calculation process is changed. 

[0073] A twenty-sixth embodiment of the present in- 
vention is an information processing method or an infor- 
mation processing device which is a modification of the 
fourth embodiment, wherein when k[1]. k[2], k[3] ....and 
k[n] which are obtained as a result of dividing k are each 
processed in a separate calculation process, the order 
of the contents of each calculation process is changed. 
[0074] A twenty-seventh embodiment of th present 
invention is an information processing method or an in- 
formation processing device which is a modification of 



the above twenty-fifth embodiment, wherein S Is a com- 
mutative ring (also a semigroup) of residue classes 
modulo N (N is a positive integer) ; the addition operation 
is addition modulo N, that is, A+B=(A+B) mod N; and 
5 the operation O is a modular multiplication modulo N, 
that is. AOB=A*B mod N. 

[0075] A twenty-eighth embodiment of the present in- 
vention is an information processing method or an infor- 
mation processing device which is a modification of the 

10 above twenty-sixth embodiment, wherein S is a commu- 
tative ring (also a semigroup) of residue classes modulo 
N (N is a positive integer); the addition operation is 
addition modulo N, that is, A-hB=(A+B) mod N; and the 
operation O is a modular multiplication modulo N, that 

15 is, AOB=A*B mod N. 

[0076] A twenty-ninth embodiment of the present in- 
vention is an Information processing method or an infor- 
mation processing device which is a modification of the 
above twenty-sixth embodiment, wherein S is a Mordell- 

20 Weil group G (E/Fq) for an elliptic curve E in a finite Fq, 
where q=P^n and P is a characteristic (a prime number), 
and the operation Ols addition in the Mordell-Weil group 
G (E/Fq). As described in the above embodiments, the 
information processing devices and information 

25 processing methods of the present invention are typi- 
cally applied to cards as represented by the IC card. 
[0077] The major preferred embodiments of the 
present invention were described above. The following 
description outlines specific methods for applying the 

30 present Invention to cards. 

[0078] A semiconductor Integrated circuit device in- 
corporating the Infomnation processing device de- 
scribed above can be applied to a card so as to provide 
the card with high security. Cards are of two types: the 

35 contact type and the contactless type. The preferred 
embodiments of the present invention can be applied to 
the both types. 

[0079] The above chip (semiconductor integrated cir- 
cuit device) operates according to a signal supplied from 

40 the outside, for example, from a terminal. 

[0080] It should be noted that a terminal of a type used 
for a general card system is enough as the above ter- 
minal. Brief description will be made of the operation of 
a card system. Fig. 21 illustrates the concept of the card 

45 system. 

[0081] An IC card 52 Includes a chip 51 , and exchang- 
es data with a reader/writer 53. The reader/writer 53 in- 
cludes a control processor 54 and a magnetic disk 55 
used as a database. To begin with, the reader/writer 53 

so issues to the IC card 52 an Inquiry as to an ID. For ex- 
ample, the reader/writer 53 makes an inquiry to the IC 
card 52 as to an ID such as a name code or an identifi- 
cation code specifying a person in charge of managing 
the IC card. This step is indicated by reference numeral 

55 {1) in Fig. 21 . This name code or id ntification code is 
stored in a pr detennined area in the IC chip. In re- 
sponse to the inquiry, the IC card sends the name code 
to the reader/writer. This step is indicated by reference 
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numeral (2) in Fig. 21. The reader/writer searches the 
database 55 for the nanne code to obtain the corre- 
sponding key code stored in the database. 
[0082] The reader/writer sends a random number to 
the IC card. This random nunnber is generated in an 
MPU within the reader/writer by means of hardware. 
The random number also can be supplied from the serv- 
er side via a LAN, etc. After receiving the random 
number, the IC card receives a command from the read- 
r/writer. and according to the command, the IC card 
generates another random number obtained as a result 
of encrypting the received random number by use of a 
key code generated by a key code generator. 
[0083] The reader/writer also encrypts the same ran- 
dom number as that sent to the IC card using the key 
code obtained from the database. The encrypted ran- 
dom number obtained by the reader/writer is compared 
with the encrypted random number obtained by the IC 
card. If they coincide, it Is determined that the IC card 
is valid, completing the mutual authentication between 
the IC card and the reader/writer. 
[0084] As described above, in this system, upon re- 
ceiving the key code, the reader/writer searches for the 
same key code and its corresponding ID stored in a 
magnetic disk. In this way, the validity of the ID is veri- 
fied. 

[0085] The generated key code (ID code) of each IC 
card is stored in a database together with the name code 
or the identification code. 

[0086] The generated key code can be used to au- 
thenticate the card holder, check whether the IC card 
has been forged, or carry out mutual authentication be- 
tween the IC card and the reader/writer when the IC card 
is used as electronic money. 

[0087] The above system can be applied to a number 
of fields such as payment at a general store, purchase 
of a ticket, examination of a commutation ticket, check- 
ing of a driver's license, and a telephone call using a 
telephone card. 

[0088] The cards and the card systems described 
above can be realized using the following preferred em- 
bodiments of the present invention. 
[0089] Each preferred embodiment of the present in- 
vention will be concretely described below. 
[0090] The present embodiment Is described using as 
examples the RSA cryptography and the elliptic curve 
cryptography which are representative of the public-key 
cryptography (asymmetric cryptography) even though 
the present embodiment can be applied to other cryp- 
tographic methods. 

[0091] The RSA cryptography in general is substan- 
tially described in a book entitled "Introduction to Cryp- 
tography" authored by E. Okamoto and published by Ky- 
oritsu Syuppan, and another book entitled "Handbook 
of Applied Cryptography" authored by A.J. Menez s, P. 
C. Van Ooschot, and S.A, Vanstone and published by 
CRC-Press. The elliptic curve cryptography in general, 
on the other hand, is substantially described in the book 



"A Course in Number Theory and Cryptography: Grad- 
uate Texts in Mathematics 114 (Second Edition)" au- 
thored by N. Koblitz, who devised this cryptographic 
method, and published by Springer-Verlag in 1 987. The 

5 operation on elliptic curves is detailed in the book "Ra- 
tional Points on Elliptic Curve" authored by J.H. Silver- 
man and J. Tate and published by Springer-Verlag in 
1992, while algebra in general, including groups, rings, 
and fields is substantially described in the book "Intro- 

10 duction to Algebra" authored by K. Matsuzaka and pub- 
lished by Iwanami Shoten. 

[0092] In the public-key cryptography (asymmetric- 
key cryptography), secret information is generally in- 
cluded in a public key, and the public-key cryptography 

15 is based on the fact that it takes an extremely long time 
(and therefore it is not practical) to deduce the secret 
infomnation from the public key by computation, provid- 
ing computational security. The problem of factorization 
into prime numbers and the problem of discrete loga- 

20 rithm in a group are typical problems used for providing 
such computational security for the public-key cryptog- 
raphy. The RSA cryptography uses the former problem, 
while the elliptic curve cryptography uses the latter by 
applying it to a group on an elliptic curve. 

25 

<Appncation to RSA Cryptography> 

[0093] To begin with, brief description will be made of 
the RSA cryptography as a basic cryptographic method 

30 to which the present invention is applied. 

[0094] In the RSA cryptography, the product n of two 
large prime numbers p and q (for example, two 512-bit 
prime numbers) is calculated (that is, n=pq). After that, 
a number e mutually prime to n is selected and regis- 

35 tered with a public-key list as a public key. In IC cards, 
the above number e mutually prime to n is often set to 
be a number of 3 or 65537. 

[0095] The data (plaintext) is encrypted as follows. 
[0096] A transmitter B encrypts data (plaintext) y ex- 
40 pressed in numbers equal to 1 or larger than 1 but not 
larger than N-1 by use of the formula R=y^e mod n, 
where the expression "y^" indicates y to the e-th power, 
and transmits the ciphertext R to a holder A of the above 
public key. 

45 [0097] Upon receiving the ciphertext R, the public-key 
holder A calculates R'^xmodn, where x denotes a secret 
key and xe mod (p-1 )(q-1 )= 1 . It should be noted that the 
secret key x is generally stored in the semiconductor 
chip mounted on a card. 

50 [0098] The expression (p-1)(q-1) is the value of th 
Euler's totient function f(N) for N, which is equal to the 
number of natural numbers mutually prime to N. Accord- 
ing to Euler theorem, the equation R^((p-1)(q-1)) mod 
n=1 holds. On the other hand, since the above equation 

55 xe mod (p-1)(q-1)=1 can b expressed as xe=1+k(p-1) 
(q-1 ), where k is an integer, the following equations hold. 
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R^x mod N=y^(xe) mod n 



=y^(1+k(p-1) (q-1)) mod n 



=y*y^(k(p-1) (q-1)) mod n 



=y 

[0099] Accordingly, the public-key holder A decrypts 
the plaintext y sent from the transmitter B by calculating 
the expression R'^x mod n. 

[01 00] As described above, the secret key x Is pro- 
duced through a calculation using the product n of the 
two large prime factors p and q. No method has so far 
been known to be capable of deducing x without using 
factorization. Since factorizing the product of large 
prime numbers takes an unrealistic amount of time, the 
factorization of the product n is practically impossible. 
Therefore, even if the product n of the two large prime 
numbers is made public, the secret key of the public-key 
holder A is secured. 

[0101] The operations employed in the RSA cryptog- 
raphy can be regarded as those on an integer residue 
class ring 2n modulo n. 

[0102] Furthermore, the operations employed in the 
RSA encryption/decryption are referred to as modular 
exponentiations. Fig. 4 is a flowchart showing an exam- 
ple of an algorithm generally implemented on a compu- 
ter to perform modular exponentiation. Important points 
of the calculation flow in Fig. 4 performing the operation 
y^x mod n are described as follows. 
[0103] At step 0401, the encryption calculation ac- 
cording to the present invention starts. 

(1) The secret key x is read in units of a desired 
number of bits, for example, for every two bits . If the 
read two bits (a bit block of two bits) are "00", the 
variable A[0] (which stores a value of 1 ) Is assigned 
to the bit block. Similarly, depending on whether the 
read bit-block is "01 "1 0", or "11 ", the variable A[1 ] 
(which stores the value of the expression "y"). A[2] 
(which stores the value of the expression "y^2 mod 
n"), or A[3] (which storesthe value of the expression 
"y^3 mod n") is assigned to the read bit-block, re- 
spectively. 

(2) Modular multiplication using one of the above 
variables A[0], A[1], A[2], and A[3] is perfomned. 

[0104] It should be noted that the secret key x is di- 
vided in units of two bits In the above description for sim- 
plification. The secret key x may be divided in units of 
any arbitrary number of bits, such as one bit, three bits, 
or four bits. However, the same calculation method is 
employed in any case. When the secret key x is divided 



20 

in units of j bits, the calculation is carried out times 
(2i times). This process of dividing the secret key x for 
every J bits (or every arbitrary number of bits) is referred 
to as dividing the secret key x using a window width. 
5 [0105] The following preferred embodiments of the 
present invention also use this calculation method even 
though not indicated as such. 

[0106] In the calculation flow, the fourth-power oper- 
ation at step 0402 is perfomned regardless of the 

10 number of bits making up the bit block. In the subse- 
quent modular multiplication, four decision steps, 0403, 
0404, 0405, and 0406 are provided so that the flow 
branches out into four steps 0407, 0408, 0409, and 
0410, respectively. Each decision step determines 

15 whether the value of a bit block (of two bits in this case) 
to be checked is equal to that assigned to the decision 
step. The modular multiplication at one of steps 0407, 
0408, 0409, and 0410 is performed depending on the 
value of the bit block. The modular multiplications at 

20 steps 0407, 0408, 0409, and 041 0 are different from one 
another as to which variable (A[0], A[1], A[2], or A[3]) is 
assigned to them. The values of the variables A[0], A[1 ], 
A[2], and A[3] are stored in the table prepared at step 
0401. 

25 [0107] Generally, modular multiplication requires a 
significant amount of processing power, consuming an 
extremely large current. Especially in a calculation using 
data of a large bit-width, it may be possible to deduce 
which one of A[0], A[1 ], A[2], and A[3] is currently being 

30 processed. Suppose that a 16 bit wide operation is to 
be performed, for simplification. Let y=58981 and 
n=59989(=239'251). A[0]. A[1], A[2]. and A[3] are ex- 
pressed as the following binary-bit strings. 

35 A[0]=0000000000000001 
A[1]=001 1001 01 0011000 
A[2]=1011001011001110 
A[3]=1001111110010101 

40 [0108] Accordingly, each bit string produces a differ- 
ent current waveform, which can be observed by meas- 
uring the current consumed in the IC card. Based on 
differences between such current waveforms, four dif- 
ferent current waveform patterns may be obtained from 

45 which to derive the bit pattern of the secret key. Specif- 
ically, based on the tour different current wavefonns, the 
bit pattern of the secret key can be obtained by making 
a number of attempts equal to all possible permutations 
of the current waveform patterns, that is, 41=24 (pat- 

50 terns). Even when the number of bits of modulus n is 
increased, the same method can be used. 
[0109] It should be noted that since the implementa- 
tion of this modular multiplication requires a significant 
amount of processing power, a dedicated coprocessor 

55 is used for this op ration instead of the built-in CPU in 
many IC cards. 

[0110] This attack method is very effective when the 
number of bits of the modulus n is increased. Forexam- 
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pie, wh n the modulus n is set to a number having 2048 
bits, it is practically impossible to factorize the modulus 
n. However, if the current consumed in the IC chip can 
be observed by use of an oscilloscope, the bit pattern 
of the secret key may be derived. For example, the fol- 
lowing procedure may be used to find the value of x 
(having about 2000 bits). First, classify the consumed 
currents into fourtypes. At that time, the bit value of each 
consumed current is divided into bit blocks (if each bit 
block is set to have 2 bits, there are about 1000 bit 
blocks) for comparison. Next, perfonn a modular expo- 
nentiation on each of the fourtypes using another com- 
puter. Then, compare the result of each modular expo- 
nentiation with the output of the IC chip to see whether 
they coincide. This comparison requires only 24 at- 
tempts. Accordingly, the considerable possibility of con- 
fidential data being derived is left open in the above con- 
ventional encryption method In which data (plaintext) y 
is encrypted by use of the above formula R=y^e mod n, 
and a secret key is applied. 

[0111] As described above, the preferred embodi- 
ments of the present invention are provided to protect 
the secret key against such an attack. 

(Division of input data) 

[0112] Description will be made of a first method ac- 
cording to the present invention for scrambling cun-ents 
in an IC card by dividing the input data. 
[01 1 3] It should be noted that the following description 
illustrates each calculation algorithm and its major im- 
plementation methods. There may be other implemen- 
tation methods in addition to those described below, de- 
pending on each calculation algorithm. However, the im- 
plementation methods for this first method of the present 
invention can be also satisfactorily applied to other 
methods of the present invention described below. 
[01 1 4] To exchange ciphertext by use of a secret key, 
the present invention employs a conventional method. 
That is. the receiver B of ciphertext generates two keys 
by use of a predetemriined cryptographic method. One 
of them is a "secret key" dedicated for decryption. It is 
held by the receiver B itself and used to decrypt cipher- 
text. The other is a "public key" to be sent to a transmitter 
A that sends the ciphertext. The receiver B sends the 
public key to the transmitter A as required, or alterna- 
tively the receiver B makes the public key public before- 
hand. The receiver B decrypts transmitted ciphertext by 
use of the secret key. The above method for exchanging 
ciphertext is also employed by other methods (de- 
scribed below) of the present invention for scrambling 
currents in an IC card. In the first method, the secret key 
X Is stored in. for example, a storage means of a semi- 
conductor chip, such as an EEPROM in the storage unit. 
[0115] Fig. 5 is a flowchart showing encryption and 
decryption operations according to the first method. 
[0116] As described in the above general encryption 
of plaintext, the transmitter A encrypts data y by use of 



the formula y^ mod n (=R), and transmits the encrypted 
data to the receiver B. 

[0117] Receiving this ciphertext R, the receiver B cal- 
culates the expression R^x mod n (=y) using a secret 
5 key x. The value of the secret key x is determined by, 
for example, the equation x'^e mod (p-1 )(q-1 )=1 . As can 
be seen from the above description, the encryption and 
the decryption use similar calculation methods. Fig. 5 is 
a flowchart showing a process of an encryption opera- 
te tion on data y. A similar process is used to decrypt the 
transmitted encrypted data R. 

[0118] At step 0500, the encryption calculation of the 
first method starts. 

15 (1 ) A secret key x generated beforehand is divided 
in units of a desired number of bits, for example, for 
every two bits (a bit block). The variables A[0], A[1]. 
A[2], and A[3] are each assigned the value of a pre- 
determined different modular exponentiation. For 

20 example, A[0]=1 , A[1 ]=y, A[2]=y^2 mod n, and A[3] 

=y^3 mod n. These variables and values are listed 
in a table. 

Furthermore, all possible values of the bit block are 
each assigned to one of the variables. For example, 

25 the value "00" is assigned to A[0]. Similarly, the val- 
ues "OV, "10", and "11" are assigned to A[1], A[2], 
and A[3], respectively. This arrangement is th 
same as that described above, (step 0501) 

Each of the above operations is carried out by 

30 the central processing unit (CPU) or a coprocessor 
in an IC. The operation results are stored in a stor- 
age means, for example, generally a RAM in a data 
storage unit. The stored operation results (data) are 
retrieved from the storage means as necessary for 

35 calculation. 

(2) An operation result S is initialized to 1 at step 
0514. 

(3) A random number R for scrambling is generated. 
In this case, a pseudorandom number may be used 

40 as the random number R. It should be noted that 
the random number R must be set to have a number 
of bits substantially equal to the number of bits of n. 
(step 0503) 

This random number R is generated by the 

45 CPU. Alternatively, the random number R may be 
generated in another special area in the IC. The 
generated random number is generally stored in a 
data storage unit. The generated random number 
may be directly used for an operation instead of be- 

50 ing stored in the data storage unit. Conventional 
methods for generating a random number and ap- 
plying it to calculations in encryption can be satis- 
factorily applied to the present invention. 

(4) An operation using the fourth power of S is per- 
55 formed. Specifically, the operation S=SM mod n is 

can-ied out. The secret key x (its bit value) is not 
involved in this operation, (step 0502) 

(5) It is determined which decision step corre- 
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spends to each bit block obtained as a result of di- 
viding the secret key x. That is, it is determined 
whether each bit block is "00", "01". "10", or "11". 
(steps 0504. 0505, 0506, and 0507) 

(6) The random number R for scrambling is used to 
perfomn transfonnation calculation of the table val- 
ues. 

[01 1 9] The table values of A[0]. A[1 ], A[2] and A[3] are 
each transformed and set for B[0] and B[1] as follows. 
[0120] When the bit-block value is "00", the opera- 
tions B[0]=A[0] AND R and B[1]=A[0] AND -R are per- 
formed as transfonnation calculations, (step 0509) 
[0121] When the bit-block value is "01", the opera- 
tions B[0]=A[1] AND R and B[1]=A[1] AND -R are per- 
fomned as transfonnation calculations, (step 0510) 
[0122] When the bit-block value is "10*', the opera- 
tions B[0]=A[21 AND R and B[1]=A[2] AND -R are per- 
formed as transformation calculations, (step 0511) 
[0123] When the bit-block value is "11", the operations 
B[0]=A[3] AND R and B[1]=A[3] AND -R are performed 
as transformation calculations, (step 0512) 
[0124] Each of the above operations is carried out by 
the central processing unit (CPU) or a coprocessor In 
an IC. The operation results are stored in a storage 
means, for example, generally a RAM in a data storage 
unit. The stored operation results (data) are retrieved 
from the storage means as necessary for calculation. 
[01 25] The transfomnation calculations at steps 0509. 
051 0, 051 1 . and 051 2 in Fig. 5 randomly divide the orig- 
inal data,A[i] 0=0,1 ,2,3,4). It should be noted that pseu- 
dorandom numbers may be used to randomly divide the 
original data. 

[0126] As in the above example, let y=58981 and 
n=59989(=239'251). The table values for A[0], A[1], A 
[2], and A[3] are expressed as the following binary-bit 
strings. 

A[0]=0000000000000001 
A[1]=0011001010011000 
A[2]=1011001011001110 
A[3]=1001111110010101 

[0127] Let R=1001100110010101. If the bit-block val- 
ue is the binary number "1 0", A[2] is selected and there- 
by the following transfonned values are obtained. 

B[0]=1 001 00001 00001 00 
B[1]=0110011001101010 

[0128] Since the current value "1" of A[0] has little 
scrambling effect, a value of 1+n may be setfor A[0]. 

(7) By using B[0] and B[1]thus obtained, the follow- 
ing operations are performed at step 0508. 

S1=s'B[0] mod n 



S2=S B[1]mod n 

Since the above calculation process con- 
5 sumes a large current, an attacker observing the 
cun-ent may try to derive the secret key from Its val- 
ue. However, since the data (secret key) is random- 
ly divided, the attacker only observes current wave- 
forms different from those of the original data. This 
confuses the attacker. If the attacker tries to ob- 
serve the waveforms more accurately by statistical- 
ly processing them, this only leads to further confu- 
sion (effectively confusing the attacker) since the 
random number employed changes for each itera- 
tion. 

(8) The above operation results SI and S2 are com- 
bined as follows. Even after all of the above opera- 
tions have been performed, the equation B[0]+B[1) 
=A[2] still holds. Therefore, lastly the operation at 
step 0513 in Fig. 5 is perfomned since 

S1+S2 mod n = S*(B[0]+B[1]) mod n = s'a[2] mod n. 

(9) It is determined whether all the bit blocks have 
been checked for transformation calculation, at step 
0515. If all the bit blocks have been checked, the 
encryption process ends, producing the properdata 
to be transmitted at step 051 6. 

[0129] The encrypted data to be transmitted thus ob- 
tained is generally stored in, for example, a RAM tem- 
porarily. The data is output from an input/output port as 
necessary. The input/output operation of a card system 
was already schematically described above with refer- 
ence to Fig. 21 . 

[0130] The receiver decrypts the transmitted encrypt- 
ed data using the same method as that described above 
and employing the formula R^x mod n (=y), where R is 
the transmitted encrypted data. 
[0131] It should be noted that even though the above 
method (the first method of the present invention) for 
dividing input data divides only the signal A, it is possible 
to divide both signals A and B. In this case, the expres- 
sion LA[i]OB0] is calculated, where 1=1, ...,mandj=1 .... 
n, 

[0132] Next, description wilt be made of a second 
method of the present invention for scrambling currents 
in an IC card by dividing the input data. Figs. 6A and 6B 
are flowcharts showing another process of scrambling 
currents in an IC card by dividing the input data. It should 
be noted that Fig. 6A shows the first part of the flowchart, 
while Fig. 6B shows the second part. They are linked 
together at (A) and (B). This method uses an operation 
which restricts the random number R to less than a cer- 
tain value. It should be noted that process steps of the 
second method different from those of the above first 
method will be mainly described below. 
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[01 33] Also in this method, the transmitter A encrypts 
data y by use of the formula y'^e mod n, and transmits 
the encrypted data to the receiver B. Receiving the ci- 
phertext R. the receiver B calculates the expression R'^x 
mod n using a secret key x. The value of the secret key 5 
X is detemnined by, for example, the equation xe mod 
(p-1)(q.1)=1. 

[0134] As in the example of Fig. 5, the process shown 

in Figs. 6A and 6B takes the following steps. 

[0135] The calculation starts at step 0600. io 

(1 ) A table is prepared at step 0601 . 

(2) Initialization is carried out for the calculation at 
step 0618. 

(3) A random number R for scrambling is generated 15 
at step 0603 (this random number R has a number 

of bits substantially equal to the number of bits of n). 

(4) The fourth-power operation S=SM mod n is per- 
formed at step 0602. 

Up to this step, the secret key x (its bit value) 
is not involved in the calculation. 

(5) Depending on the value of each bit block ob- 
tained as a result of dividing the secret key x, it is 
determined which decision step corresponds to 
each bit block, that is, whether the value of each bit ^5 
block is "00", "01". "10", or "11". (steps 0604, 0605, 
0606, and 0607) 

Next, the random number R for scrambling is 
used to perform transformation calculation of the ta- 
ble values. That is, this second method of the 30 
present invention performs the following opera- 
tions. 

(6) The value of the random number R is restricted 
to less than a certain value detemnined depending 

on the value of each bit block. 35 

When the value of a bit block is "00", the ran- 
dom number R restricted to less than the value of 
A[0] is set for a variable T. Similarly, depending on 
whether the value of a bit block is "01 "1 0", or "11 
the random number R restricted to less than the val- 40 
ue of A[1], A[2], or A[3] is set for T, respectively, 
(steps 0609, 061 0, 0611 , and 0612) 

(7) By using T whose value was determined as de- 
scribed above, the following operations are per- 
formed which each correspond to a respective de- ^5 
cision step (condition). 

That is, using T, the value of Ap] Q=0,A ,2,3) is ran- 
domly divided by the operations B[0]=A[j]-T and B 
[1]=T. (steps 0614, 0615, 0616, and 0617) 

(8) By using B[0] and B[1 ] thus obtained, the follow- 50 
ing operations are performed at step 0608. 

S1=S*B[0] mod n 

55 

S2=s'B[1] mod n 



Since the above operation process consumes 
a large current, an attacker observing the current 
may try to derive the secret key from its value. How- 
ever, the input data is randomly divided (this division 
may be made by use of pseudorandom numbers). 
Therefore, the attacker only observes current wave- 
forms different from those of the original data. This 
confuses the attacker. Especially, if the attacker 
tries to observe the waveforms of the consumed 
cun-ents more accurately by statistically processing 
the waveforms, this only leads to further confusion 
(effectively confusing the attacker) since the ran- 
dom number employed changes for each iteration. 
(9) The above operation results 81 and 82 are com- 
bined at step 0613 as follows. The equation S1+S2 
mod n = S*(B[0]+B[1]) mod n = S'A[j] mod n holds 
since B[0]+B[1]=A[|]. Therefore, the operation 
8=81+82 mod n is performed at step 0613 to pro- 
duce the final proper result (data) to be transmitted. 

[01 36] It should be noted that to decrypt the transmit- 
ted encrypted data, it is only necessary to use the same 
method asthat described above and employ the formula 
R^x mod n (==y), where R is the transmitted encrypted 
data. 

(Division of a secret key) 

[0137] Description will be made of a method for 
scrambling currents in an I C card by dividing a secret 
key instead of the input data. This method of dividing a 
secret key has no effect in scrambling the currents if 
each current is directly observed (that is, if each single 
waveform of a consumed current is observed). Howev- 
er, this method is effective in hiding information if many 
waveforms are gathered and subjected to statistical 
processing. 

[0138] First, description will be made of an example 
to which the RSA cryptography is basically applied. As 
described above. Fig. 4 shows RSA encryption/decryp- 
tion operations. 

[01 39] First, it should be noted that to successfully de- 
rive a secret key by use of statistical processing, each 
bit value of the secret key must remain the same during 
the statistical processing. This means that if the secret 
key is randomly divided (this division may be made by 
use of pseudorandom numbers), such processing can 
be confused (by scrambling the secret key). Figs. 7A 
and 76 are flowcharts showing a process of scrambling 
currents in an IC card by dividing the secret key (secret 
exponent). It should be noted that Fig. 7A shows the first 
part of the above process, while Fig. 7B shows the sec- 
ond part. They are linked together at (A). 
[0140] The process shown in Figs. 7A and 7B takes 
the following steps. 

(1) As in the above process shown in Fig. 4, after 
the calculation starts at step 0700, a table is pre- 
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pared to store the values of expressions each as- 
signed to a respective one of the variables A[0]. A 
[1], A[2]. andA[3], at step 0701. 

(2) Then, initialization is carried out by letting S1 =1 
and S2=1 . The variables S1 and S2 are each pro- 
vided to hold a value obtained as a result of calcu- 
lation using a respective one of two divided secret 
keys, (step 0714) 

(3) A random number R for scrambling is prepared. 
In this case, a pseudorandom number may be used 
as the random number R. (step 0702) 

(4) The secret key x is divided into two divided se- 
cret keys using the random number R tor scram- 
bling as follows, (step 0703) t[0]=x AND R t[1]=x 
AND — R, where -R is the bit inverse of R. 

The two divided secret keys t[0] and t[1] are 
each used to perfomn respective modular exponen- 
tiations. The process of these modular exponentia- 
tions is the same as that of the ordinary one as il- 
lustrated below. 

(5) To begin with, the fourth-power operations 
SI -SI M mod n and S2^S2M mod n are performed 
at steps 0704 and 0705. 

(6) It is determined which decision step corre- 
sponds to each bit block obtained as a result of fur- 
ther dividing the above divided secret keys t[0] and 
t[1] for every two bits, starting from the bit block of 
the most significant two bits of one of the divided 
secret keys, and sequentially checking one bit block 
after another. The above determination is made 
based on the value of each bit block, that is, whether 
the value of each bit block is "00". "01 "10", or "1 1 
(steps 0706, 0707, 0708, 0709, 0710. 0711, 0712, 
and 0713) 

(7) The following modular multiplications are per- 
formed using the above SI and S2, and the values 
stored in the table prepared at step 0701 . (steps 
0714, 0715, 0716, 0717, 0718, 0719. 0720, and 
0721) 

S1=srA[j] mod n, where j=0,1 ,2,3. 
S2=S2*A[j] mod n, where j=0,1 .2,3. 

(8) If all the bit blocks have been checked, the final 
values of 81 and S2 are obtained, (steps 0723 and 

. 0724) 

(9) Lastly, the operation S1*S2 mod n is perfomned 
at steps 7025 and 7026. 

[01 41 ] Since t[0]+t[1 ]=x, the equation SI *S2 mod n = 
y^x mod n holds. The right side of the equation is the 
original encryption formula for data to be transmitted. 
[0142] To successfully perform statistical processing 
of current waveforms, each bit value of the secret key 
must remain the same how many times the correspond- 
ing process is performed. The simpi st xample of the 
statistical processing is averaging of waveforms to re- 
move noise components from them. This method of re- 



moving noise is widely used. Actually, many digital os- 
cilloscopes have a function to average waveforms. In 
the ordinary encryption process shown in Fig. 4, when- 
ever same data is input, same current value is output 

5 except for its noise components. This means that the 
noise components can be removed by gathering many 
cun^ent waveforms of the same input data and averaging 
them. This method is based on the law of large numbers 
that the means of a large number of samples, which are 

10 independent and vary according to identical distribu- 
tions, of a stochastic variable are approximately equal 
to the theoretical mean of the samples. Actually, a cur- 
rent observed on an oscilloscope can be considered to 
include current noise whose mean value is zero. Such 

IS an assumption is valid since a nonzero mean value of 
the current noise indicates that the current includes 
some DC component. 

[0143] On the other hand, consider a case in which 
an attacker observing the currents knows the fact that 

2o the process of scrambling the currents shown in Figs. 
7A and 7B has already been carried out. The attacker 
can derive the proper key by obtaining t[0] and t[1] to 
calculate 81 and S2, and adding them at the final step. 
However, it is generally difficult to remove current noise 

25 by hardware alone, that is, it is difficult to fully specify 
the keys t[0] and t[1] by observing only a single current 
waveform. Therefore, it is necessary to obtain a plurality 
of wavefomis in order to enhance the accuracy. Howev- 
er, in the process shown in Figs. 7A and 7B, the random 

30 number R changes every time the current is measured, 
thereby changing the values of t[0] and t[1]. As a result, 
obtaining many wavefomis to average them only pro- 
duces a confused result since the obtained waveforms 
each correspond to a different exponent, making it diffi- 

55 cutt to extract any meaningful information from them. 
[0144] Description will be made of another method (a 
third method) for scrambling the currents by dividing the 
key (secret exponent). 

[0145] Figs. BA and 8B are flowcharts showing this 
40 process. Both figures are linked together at (A) to form 
a complete flowchart. 

[0146] The process shown in Figs. BA and 8B takes 
the following steps. 

[0147] The calculation process starts at step 0800. 

45 

(1) As in the above process shown in Fig. 4, a table 
is prepared to store the values of expressions each 
assigned to a respective one of the variables A[0], 
A[1], A[2], and A[3], at step 0B01 . 

50 (2) Then, initialization is carried out by letting 81 =1 
and 82=1 . The variables 81 and 82 are each pro- 
vided to hold a value obtained as a result of calcu- 
lation using a respective one of two divided secret 
exponents (that is, divided secret infomiation). 

55 (step 0823) 

(3) A random number R for scrambling is prepared. 
In this case, a pseudorandom number may be used 
as the random number R. (0802) 
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(4) An exponent x is divided into two divided expo- 
nents at step 0803 as follows. 

t[0]=V 



t[1]=x-V 

(5) The two divided secret keys (exponents) t[0] and 
t[1] are each used to perfonn respective modular 
exponentiations. The process of these modular ex- 
ponentiations is the same as that of the ordinary one 
as illustrated below. 

To begin with, the fourth-power operations 
S1 =S1M mod n and S2=S2M mod n are perfomned 
for t[0] and t[1] respectively at steps 804 and 805. 

(6) It is detemiined which decision step con-e- 
sponds to each bit block obtained as a result of fur- 
ther dividing the above divided secret keys t[0] and 
t[1] for every two bits, starting from the bit block of 
the most significant two bits of one of the divided 
secret keys, and sequentially checking one bit block 
after another. The above detennination is made 
based on the value of each bit block, that is, whether 
the value of each bit block is "00", "01 "10", or "11 
(steps 0806. 0807, 0808, 0809, 0810. 0811. 0812, 
and 0813) 

(7) The following modular multiplications are per- 
formed using the above SI and S2, and the values 
stored in the table prepared at step 0801 . (steps 
0814, 0815. 0816, 0817, 0818, 0819, 0820, and 
0821) 

S1=srA[J] mod n, where j=0,1 ,2,3. 
S2=S2*A[j] mod n, where j^^O.1 ,2.3. 

(8) If all the bit blocks have been checked, the final 
values of SI and S2 are obtained, (steps 0824 and 
0825) 

(9) Lastly, the operations SI 'S2 mod n is performed. 

[0148] Since t[0]+t[1]=x, the equation 31*82 mod 
n=y^x mod n holds. The right side of the equation is the 
original encryption formula for data to be transmitted, 
(step 0826) 

[0149] To successfully perfomn statistical processing 
of consumed-current waveforms, each bit value of the 
secret key must remain the same how many times the 
corresponding process is performed. The simplest ex- 
ample of the statistical processing is averaging of wave- 
forms to remove noise components from them. This 
method of removing noise is widely used. Actually, many 
digital oscilloscopes have a function to average wave- 
forms. In the ordinary process shown in Fig. 4, whenev r 
same data is input, same current value is output except 
for its noise components. This means that the noise 
components can be removed by gathering many current 



waveforms of the same input data and averaging them. 
[0150] On the other hand, consider a case in which 
an attacker observing the currents knows the fact that 
the process of scrambling the currents shown in Figs. 

5 8A and 8B has been already carried out. The attacker 
can derive the proper key by obtaining t[0] and t[1] to 
calculate S1 and S2, and adding them at the final step. 
[0151] However, it is generally difficult to remove cur- 
rent noise by hardware alone. That is, it is difficult to fully 

10 specify the keys t[0] and t[1 ] by observing only a single 
current waveform. Therefore, it is necessary to obtain a 
plurality of waveforms in order to enhance the accuracy. 
However, in the process shown in Figs. 8A and 8B, the 
random number R changes every time the current is 

IS measured, thereby changing the values of t[0] and t[1]. 
As a result, obtaining many waveforms to average them 
only produces a confused result since the obtained 
wavefomns each correspond to. a different exponent, 
making it difficult to extract any meaningful Information 

20 from them. 

[0152] Description will be made of another method (a 
fourth method) for scrambling the currents by dividing 
the secret key (secret exponent). This method uses the 
Euler's totient function f(n)=(p-1 )(q-1 ). 

25 [01 53] According to Euler theorem, if y and n are nat- 
ural numbers prime to each other, the equation y^f(n) 
mod n=1 holds. From this equation, the equation y^x 
mod n = y^(x-t-Sf(N)) mod n also holds. 
[0154] Fig. 9 is a flowchart showing a process of 

30 scrambling the currents using the above equation. This 
process has substantially the same structure as that of 
the process employing the ordinary modular exponenti- 
ation shown in Fig. 4. 

35 (1) A table 0901 is prepared to store the values of 
expressions each assigned to a respective one of 
the variables A[0], A[1], A[2]. and A[3]. This table 
0901 is the same as that in Fig. 5. (step 0901) 

(2) Variables for storing operation results are initial- 
40 ized at step 0904. 

(3) A random number R for scrambling is generated. 
In this case, a pseudorandom number may be used 
as the random number R. (0902) 

(4) The exponent x is replaced by u (=x+Rf(n)) at 
45 step 0903. 

The subsequent process steps are the same 
as those for the ordinary modular exponentiation. 

(5) The bit values of the above exponent u are read 
for every two bits (a bit block) starting from the first 

50 two bits. Then, the fourth-power operation S=SM 
mod n is performed, (step 0904) 

(6) It is determined which decision step corre- 
sponds to each bit block of u. The above determi- 
nation is made bas d on the value of each bit block, 

55 that is, whether the value of each bit block is "00", 
"01", "10", or "11". (steps 0905, 0906, 0907, and 
0908) 

(7) The following modular multiplications are per- 
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formed which each correspond to a respective de- 
cision step (condition), (steps 0909. 0910, 0911, 
and 0912) S=S'A[j] mod n. where j=0,1 ,2»3. and A 
[0]=1 , A[1 ]=y, A[2]=y^2 mod n, and A[3]=y^3 mod n. 
(8) The above operations are repeated until all the 5 
bits of the exponent have been checked, (steps 
0914 and 0915) 

[0155] For example, when N=187 (=11*17), f(N)= 
(1 1 -1 )*(1 7-1 )=1 60. Accordingly, if the exponent x= 38 = 
1 001 1 0 (binary expression), 

x+f(N)= 38+160 = 198 = 11000110 (binary expres- 
sion) and 

x+2f(N) = 38+320 = 358 = 101100110 (binary ex- 
pression). Thus, two different bit pattems are pro- 
duced. 

Since the exponent u has a bit pattem different from that 
of the exponent x, the exponent u proceeds to a different 
operation step from that for the exponent x, scrambling 
the corresponding current, 

[01 56] However, even though "x+Sf(N)" has a bit pat- 
tern different from that of x, they are of the same residue 
class modulo N. Accordingly, deriving the bit pattern of 
"x+Sf(N)" from a single current measurement is equiv- 
alent to deriving that of x (or stealing the secret key x, 
so to speak). On the other hand, since an observed cur- 
rent inevitably includes current noise, it is often neces- 
sary to average its waveforms. However, as the exam- 
ple shown in Fig. 9, if the value of S is changed for each 
modular exponentiation (especially randomly), obtain- 
ing many waveforms to average them only produces a 
confused result since the obtained waveforms each cor- 
respond to a different exponent, making it difficult to ex- 
tract any meaningful information from them . It should be 
noted that the value of S may be randomly changed us- 
ing pseudorandom numbers. 

[0157] Next, consider an application of the concept 
described above to elliptic-curve encryption. 
[01 58] First of all, the elliptic-curve encryption itself is 
explained briefly. 

[01 59] An elliptic curve is a set of zero points of a ter- 
tiary polynomial. To put It concretely, for a characteristic 
K of other than 2, the elliptic curve is expressed in the 
following standard fomn: 

yA2 = x^3 + Ax^2 + Bx + C 

[01 60] On afield with a characteristic of 2, on the other 
hand, the elliptic curve is expressed in the following 
standard form: 

y^2 + cy = x^3 + Ax + B or 



y^2 + xy = x^3 + Ax + B 

[0161] In either case, consideration includes an infi- 
nite point O to be described later. 
[01 62] Fig. 1 0 is a diagram showing typical shapes of 
the elliptic curve. Units taken on the X horizontal axis 
and the Y horizontal axis are arbitrary. To be more spe- 
cific, curves 1 00 and 1 01 are each atypical elliptic curve. 
In the present invention, the value of the characteristic, 
that is. whether or not the characteristic is 2. is not of 
particular importance. Thus, for the sake of brevity, a 
characteristic of other than 2 is assumed in the following 
description. In. addition, since what is required for en- 
cryption is only the case of a finite field, only the case 
of a finite field is explained. A field composed of a finite 
number of elements is referred to as a finite field or a 
Galois field. The structure of a finite field is well known. 
A most simple technique to configure a finite field is ex- 
plained as follows. 

[0163] First of all, consider a residue class ring Zp of 
an integer ring with an element count p used as modulo. 
In the residue class ring Zp, since each element other 
than 0 has a reciprocal, the field has a structure. This 
field is called a prime field denoted by a symbol Fp. The 
prime field is an example of the most primitivef inite field. 
[0164] Next, consider a polynomial f (X) having ele- 
ments Fp as its coefficients. By attaching zero points not 
included in Fp to Fp, a new field can be configured. The 
newly configured field is called a finite-order algebraic 
extension field of Fp. As is commonly known, the 
number of elements pertaining to the finite-order alge- 
braic extension field of Fp is a number of the pth power. 
A finite-order algebraic extension field may be denoted 
by a symbol Fq or the like indicating that the number of 
elements is equal to q. 

[0165] It is possible to define an operation to be car- 
ried out on points on an elliptic curve. As an example, 
the concept of an addition operation carried out on 
points on an elliptic curve is explained by referring to 
Fig. 1 0. Consider two points P and Q on the elliptic curve 
100. A straight line is drawn through the two points P 
and Q. The straight line crosses the elliptic curve 1 01 at 
a point S. Another point symmetrical to the point S with 
respect to the X axis exists on the elliptic curve 101 due 
to a property of symmetry of the curve 1 01 . This other 
point is denoted by a notation (P + Q) which defines the 
sum of P and Q. It should be noted that for the point P 
coinciding with the point Q (or P = Q), the straight line 
passing through the two points is a line tangential to the 
elliptic curve 101 at these coinciding points. If there is 
no cross point, an infinite point is taken into considera- 
tion as a virtual point. This imaginary point is regarded 
as a cross point. The infinite point is denoted by the sym- 
bol O. Another point symmetrical to the point P with re- 
sp ct to the X axis exists on the elliptic curve 100. This 
other point is referred to as the reciprocal of the point P 
and denoted by a symbol -P. A value obtained as a result 
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of adding the point P in G (E / Fq) to be described later 
to itself k times is referred to as kP. On the other hand, 
a value obtained as a result of adding the point -P to 
itself k times is referred to as -kP. The operation of add- 
ing the point P to itself k times is referred to as scalar 
multiplication of the point R Their coordinates can be 
represented by a rational expression of P and Q coor- 
dinates. Thus, it is possible to define an addition oper- 
ation on a general field. Much like the ordinary addition, 
the associative law and the communicative law are ap- 
plicable to the addition operation described above. In 
the addition operation, the infinite point O plays the role 
of the value of zero in the same way as the ordinary ad- 
dition. The sum of - P and P is 0. This indicates that the 
addition operation carried out on points on an elliptic 
curve has the structure of an Abelian group. This is re- 
ferred to as a Mordell-Weil group in some cases. A Mor- 
dell-Weil group with a fixed elliptic curve E and a fixed 
definition field Fq is denoted by the symbol G (E / Fq) in 
some cases. The structure of G (E / Fq) is very simple. 
As is commonly known , the structure has the same fomn 
as a cyclic group or a product of two cyclic groups. 
[0166] In general, even if the value of a product Q = 
kP is known , the amount of processing to reversely com- 
pute the value of k is large and thus the processing is 
not simple. This large amount of reverse computation 
and the complicated processing are known as a discrete 
logarithm problem. The elliptic-curve encryption utilizes 
the fact that the discrete logarithm problem on an elliptic 
curve is difficult. 

[0167] The following description explains an encryp- 
tion method utilizing an elliptic curve provided by the 
present invention. There are a variety of encryption 
methods each utilizing an elliptic curve. Such encryption 
methods include an elliptic curve EIGamal cryptosystem 
and an elliptic ESA (Electric Signature Algorithm). The 
elliptic curve EIGamal cryptosystem is explained below. 
In the case of the elliptic curve EIGamal cryptosystem, 
it is possible to apply the encryption technique using the 
scalar multiplication of a point on an elliptic curve in the 
same way. 

[0168] Assume that an elliptic curve E and a point P 
on the curve are disclosed. In general, the point P has 
is a point with a large order. This point is called a base 
point. 

[0169] Consider a case in which Mr. A sends secret 
infomnation M to Mr. B. The secret information M is ex- 
pressed by a point on the elliptic curve. It should be not- 
ed that, for how to embed plaintext (ciphertext) into an 
elliptic curve, refer to "A Course in Number Theory and 
Cryptography" authored by N. Koblitz, second edition, 
Graduate Texts in Mathematics 114, Spring- Verlag, 
1987. <Step 1> Mr. B, the message recipient, selects a 
positive integer x [B], keeps the integer as a secret key 
and catalogs Y [B] = x [B] P in a public-key note. 
<Step 2> Mr A, the message sender, sends C1 = RP 
and C2 = M + RY [B] where R is a random number to 
Mr. B, 



<Step 3> Mr. B receives CI and C2, decrypting CI and 
C2 into M (=C2 - x [B] CI) where x [B] is Mr. B's own 
secret key. 

[01 70] The need for scalar multiplication of a point on 
5 an elliptic curve is not limited to the elliptic curve EIGa- 
mal encryption but also for the elliptic-curve encryption. 
[0171] An algorithm of the scalar multiplication is sim- 
ilar to an algorithm of the modular exponentiation. Fig. 
1 1 is atypical flowchart representing processing to apply 
10 a standard algorithm for computing a scalar multiple kP 
of P for every two bits of a secret key in the same way 
as the modular exponentiation (k is an integer). 

(1) The processing is started at step 1200. First of 
15 all, a table of base points P is created in order to 

cany out processing of two bits at one time. In the 
modular exponentiation, four points O. P, 2P and 3P 
are prepared for respectively the 0**^ power, the first 
power, the second powerand the fourth power mod- 

20 ulo n. To put it concretely, P [0] = 0, P [1] = P, P [2] 
= 2P and P [3] = 3P at step 1 201 . 

Unlike the modular exponentiation, it is not 
necessary update this table from time to time. That 
is to say, the table can be prepared in advance one 

25 for all. 

(2) At step 1 202, the value of a point for computation 
is initialized. 

(3) At step 1203, a four-time value of the value of 
the point is computed. S = 4S. 

30 (4) At step 1204, 1205, 1206 or 1207, two bits of the 
secret key k are examined to fomn a judgment as to 
whether or not the examined two bits are 00. 01 , 1 0 
or 11 respectively. The secret key k is stored in ad- 
vance typically in an EEPROM of an IC chip. 

35 (5) If the two bits are 00, 01, 10 or 11, specific 
processing is carried out to add P [0], P [1], P [2] or 
P [3] to Sat step 1208, 1209. 1210 or 1211 respec- 
tively. That is, S = S + P [j] where j = 0, 1 , 2 or 3 if 
the two bits are 00, 01 , 10 or 11 respectively. 

40 (6) This processing to compute the scalar multiple 
kP is carried out repeatedly till all bits of the secret 
key k are examined as indicated by a result of a 
judgment fonried at a step 1213. At a step 1214, 
this processing is ended. 

45 

[0172] This processing is carried out for every two bits 
of the secret key k starting with the two most significant 
bits. It is obvious that the structure of the algorithm is 
mathematically similar to the modular exponentiation. 

50 As will be described again later, the modular exponen- 
tiation in the RSA and the addition operation on an el- 
liptic curve can each be regarded as an operation in an 
algebraic system called Zn or G (E / Fq) respectively. 
These operations can be extended to a more general 

55 algebraic system. A method adopted in computer 
processing with the extension to a more general alge- 
braic system is executed by using the algorithm de- 
scribed above. 
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[0173] In execution of an internal program by using a 
microconnputer, on the other hand, it Is quite within the 
bounds of possibility that the amount of power con- 
sunned internally leaks out during an operation. Thus, 
there is a risk of leaking of secret-key processing in the 5 
execution of the process by a microconnputer. For ex- 
ample, specific processing is carried out in dependence 
on the value of bits in the secret key k. If a difference in 
specific processing appears as a difference in power 
consumption, it is quite within the bounds of possibility io 
that the value of bits of the secret key k can be recog- 
nized from a power waveform. In the example described 
above, the value of every two bits in the secret value is 
examined. 

[0174] The encryption and decryption operations of ^5 
the elliptic-curve encryption described above are exe- 
cuted in accordance with a procedure represented by 
the flowchart shown in Fig. 11. 

[0175] When a secret key k is read out in statistical 
processing, the processing is split at random by keeping 
in mind that the value of bits in the secret value should 
always remain the same. 

[0176] That is to say, this method is a technique of 
splitting of a scalar in computation to calculate a scalar 
multiple. It should be noted that, in this case, the random 25 
splitting may include randomness based on a pseudo 
random number. A flowchart representing this process- 
ing is shown in Figs. 12A and 12B. Both figures are 
linked together at (A) to form a complete flowchart. 

30 

(1 ) At steps 1 300 and 1 301 of the flowchart of Figs. 
12A and 12B representing typical processing, a ta- 
ble of base points P is created in order to carry out 
processing of every two bits of the secret key k. The 
processing shown in Fig. 12 is similar to that shown 55 
in Fig. 11. 

(2) At the next step 1323, the values of points for 
computation are initialized. That is, S1 = 0 and S2 
= 0. 

(3) At the next step 1302, a random number R for 40 
scrambling is generated. 

(4) At the next step 1303, by using the random 
number R for scrambling, the secrete key k is divid- 
ed into two as follows. 

45 

t [0] = k and R 

t [1] = k and — R, where -R is the bit inverse of 
R. 

The two divided secret keys t[0] and t[1 ] are so 
each used to perform respective modular exponen- 
tiations. The process of these modular exponentia- 
tions is the same as that of the ordinary one as il- 
lustrated b low. 

(5) To begin with, the 4-time operations SI =4S1 and 55 
S2=4S2 are performed at steps 1304 and 1305. 

(6) It is determined which decision step corre- 
sponds to each bit block obtained as a result of fur- 



ther dividing the above divided secret keys t[0] and 
t[1] for every two bits, starting from the bit block of 
the most significant two bits of one of the divided 
secret keys, and sequentially checking one bit block 
after another. The above determination is made 
based on the value of each bit block, that is, whether 
the value of each bit block is "00". "01" . "1 0". or"1 1". 
(steps 1306, 1307, 1308, 1309, 1310, 1311, 1312, 
and 1313) 

(7) The following modular multiplications are per- 
formed using the above S1 and S2, and the values 
stored in the table prepared at step 1301. (steps 
1314, 1315, 1316, 1317, 1318, 1319, 1320, and 
1321) 

S1=S1+A[j], where j=0, 1,2,3. 
S2=S2+A[J], where j=0,1 .2,3. 

(8) If all the bit blocks have been checked, the final 
values of SI and 82 are obtained, (steps 1325 and 
1324) 

(9) Lastly, the flow of processing goes on to step 
1322 to compute the sum on the elliptic curve (81 
+ S2) before termination at step 1326. Since t [0] + 
t [1] = k, SI + S2 = kP. Thus, the answer is correct. 

[0177] In the examples described above, the key in- 
formation k is divided in units of two bits. The key infor- 
mation may be divided into units of any arbitrary number 
of bits, such as three bits or four bits for calculation. 
When k is divided in units of j bits, the calculation is car- 
ried out 2^j times (2j times). The processing in j-bit units 
is an implementation of a concept similar to the modular 
multiplication described above. 

[0178] To successfully perform statistical processing 
of current wavefomns, each bit value of the secret key 
must remain the same how many times the correspond- 
ing process is performed. The simplest example of the 
statistical processing is averaging of wavefomis to re- 
move noise components from them. This method of re- 
moving noise is widely used. Actually, many digital os- 
cilloscopes have a function to average wavefonns. In 
the ordinary encryption process shown in Fig. 1 1 , when- 
ever same data is input, same current value is output 
except for its noise components. This means that the 
noise components can be removed by gathering many 
current waveforms of the same input data and averaging 
them. 

[0179] On the other hand, consider a case In which 
an attacker observing the currents knows the fact that 
the process of scrambling the currents shown in Figs. 
1 2A and 1 2B has already been carried out. The attacker 
can derive the proper key by obtaining t{0] and t[1] to 
calculate 81 and S2, and adding them at the final step. 
However, it is generally difficult to remove current noise 
by hardware alone, that is, it is difficult to fully specify 
the keys t[0] and t[1] by observing only a single current 
wavefomn. Therefore, it is necessary to obtain a plurality 
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of waveforms in order to enhance the accuracy. Howev- 
er, in the process shown in Figs. 12A and 12B, the ran- 
dom number R changes every time the current is meas- 
ured, thereby changing the values of t[0] and t[1]. As a 
result, obtaining many wavefomns to average them only 
produces a confused result since the obtained wave- 
forms each correspond to a different exponent, making 
it difficult to extract any meaningful infonnation from 
them. 

[01 80] The elliptic curve cryptography can be applied 
to another method for dividing a secret key which is sim- 
ilar to a method described above using a modular expo- 
nentiation in the RSA cryptography. Figs. 13A and 13B 
are flowcharts illustrating this method. Both figures are 
linked together at (A) to fomn an entire flowchart. 
[0181] The process shown in Figs. 13A and 13B pro- 
ceeds as does the ordinary process shown in Fig. 11 . 
[0182] The processing is started at step 1400. 

(1 ) At step 1 401 , a table is created in order to carry 
out processing of every two bits of a secret key k. 
The table is set to indicate that P[0]=0. P[1]=P, P[2] 
-2P and P[3)=3P. 

(2) Then, variables for storing calculation results are 
initialized at step 1423. 

(3) At step 1 402, a random number R for scrambling 
is prepared. In this case, a pseudorandom number 
may be used as the above random number R. 

(4) At 1403, by using a random number V for scram- 
bling equal to or less than k. the secret key k is di- 
vided into two divided secret keys as follows. 

t[0]=V 



t[1]=k-V 

(5) The two divided secret keys t[0] and t[1 ] are each 
used to perform respective modular exponentia- 
tions. The process of these modular exponentia- 
tions is the same as that of the ordinary one. To be- 
gin with, the 4-time operatic ns S1 =4S1 and S2=4S2 
are performed at steps 1404 and 1405. 

(6) It is determined which decision step corre- 
sponds to each bit block obtained as a result of fur- 
ther dividing the above divided secret keys t[0] and 
t[1] for every two bits, starting from the bit block of 
the most significant two bits of one of the divided 
secret keys, and sequentially checking one bit block 
after another. The above determination is made 
based on the value of each bit block, that is, whether 
the value of each bit block is "00'. "01 "1 0",.or "1 1 
(steps 1406. 1407, 1408, 1409, 1410, 1411, 1412, 
and 1413) 

(7) Th modular multiplication corresponding to the 
above determined decision step is perfonned using 
values stored in the table, (steps 1414, 1415, 1416, 



1417, 1418, 1419, 1420, and 1421) 

(8) If all the bit blocks have been checked, the final 

values of S1 and S2 are obtained, (steps 1424 and 

1425) 

5 (9) Lastly, the sum of S1+S2 is calculated at steps 
1422 and 1426. Since t[0]+t[1 ]=k, S1+S2=kP.Thus, 
the answer is correct, (step 1420) 

[0183] To successfully perfomi statistical processing 
10 of current wavefomris, each bit value of the secret key 
must remain the same how many times the correspond- 
ing process is perfonned. The simplest example of the 
statistical processing is averaging of wavefonns to re- 
move noise components from them. This method of re- 
15 moving noise is widely used. Actually, many digital os- 
cilloscopes have a function to average wavefonns. In 
the ordinary encryption process shown in Fig. 11 , when- 
ever same data is input, same current value is output 
except for its noise components. This means that the 
20 noise components can be removed by gathering many 
current waveforms of the same input data and averaging 
them. 

[0184] On the other hand, consider a case in which 
an attacker observing the currents knows the fact that 

25 the process of scrambling the currents shown in Figs. 
1 3A and 1 3B has already been carried out. The attacker 
can derive the proper key by obtaining t[0] and t[1] to 
calculate SI and S2, and adding SI and S2 at the final 
step. However, it is generally difficult to completely re- 

30 move current noise by hardware alone, that is, it is dif- 
ficult to fully specify the keys t[0] and t[1] by observing 
only a single current waveform. Therefore, it is neces- 
sary to obtain a plurality of waveforms in order to en- 
hance the accuracy. 

35 [0185] However, in the process shown in Figs. 13A 
and 1 3B, the random number R changes every time the 
current wavefonn is measured, thereby changing the 
values of t[0]andt[1]. As a result, obtaining many wave- 
forms to average them only produces a confused result 

40 since the obtained waveforms each correspond to a dif- 
ferent bit pattern, making it difficult to extract any mean- 
ingful information from them. 

[0186] Next, description will be made of a method for 
scrambling the currents similar to a method using an el- 

45 liptic curve described above. 

[0187] In G (E/Fq), there exist positive integers (each 
denoted by m) which satisfy the equation mP=0, where 
P denotes all the elements (which correspond to points 
on an elliptic curve). The smallest m is referred to as the 

50 order of P and expressed as ord(P). 

[0188] By definition, the equation ord(P)=0 holds. Ac- 
cordingly, the equation (k+S'ord(P))P=kP also holds for 
any integer S. This equation for an elliptic curve corre- 
sponds to the equation y^(x+Sf(n)) mod n = y^x mod n 

55 in the modular expon ntiation, 

[01 89] By using this property, a key k-i-S'ord(P) having 
a bittern different from that of k can be obtained. Fig. 14 
shows an algorithm for scrambling statistical processing 
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of currents for analysis, using the above property. 
[0190] The processing is started at step 1 500. 

(1 ) At step 1 501 . a table is created in order to carry 
out processing of every two bits of an input value. 5 
The table is set to indicate that P[0]=0, P[1]=P. P[2] 
=2P and P[3]=3P. 

(2) Then, the variable S for storing a calculation re- 
sult is initialized so that S=0 at step 1510. 

(3) At step 1 502, a random number R for scrambling io 
is generated. In this case, a pseudorandom number 
may be used as the above random number R. 

Next, the scalar to be processed is changed 
from k to u (=k+R'ord(P)) at step 1503. 

As illustratedbelow.thesubsequentstepsare ^5 
the same as those for the ordinary modular expo- 
nentiation. 

(4) The bit pattern of u is read in units of two bits 
starting from the most significant two bits. After that, 
the 4-time operation S=4S is performed at step 
1504. 

(5) At step 1505, 1506, 1507, or 1508, the value of 
the read two bits of u is examined to fomn a judg- 
ment as to whether or not the value is "00", "01", 
"10", or "1 1 " respectively. 

(6) Depending on the examined value, one of pre- 
determined addition operations is performed on an 
elliptic curve. Specifically, addition of S and one of 
P[0](=0 an infinite point), P[11(=P). P[2](=2P), and 
P[3](=3P) is perfonmed on an elliptic curve, (step 30 
1509) 

(7) The above process is repeated until all bits of 
the scalar k are examined. After ail the bits of the 
scalar k are examined, this processing is ended, 
(steps 1511 and 1512) 35 

[0191] As in the modular exponentiation, k and 
"k-i-R'ord(P)" have bit patterns different from each other. 
Accordingly, they each proceed to a different operation 
step, thereby scrambling the corresponding wavefomn. 
[0192] As described above, however, even though 
"k+S*ord(P)" has a bit pattern different from that of k, it 
is equivalent to k on an elliptic curve E. Accordingly, de- 
riving the bit pattern of "k+S'ord(P)" from a single cun-ent 
measurement is equivalent to deriving that of k (or steal- 
ing the secret key k, so to speak). On the other hand, 
since an observed current inevitably includes cun^ent 
noise, it is often necessary to average the waveforms. 
However, as in the example shown in Fig. 14, if the value 
of S is changed (especially randomly) for each scalar so 
multiplication operation on a point on an elliptic curve, 
obtaining many waveforms to average them only pro- 
duces a confused result since the obtained waveforms 
each correspond to a different exponent, making it diffi- 
cult to xtract any meaningful information from th m. It 55 
should be noted that th value of S may be randomly 
chang d based on pseudorandom numbers. 
[0193] The following method enhances the cun^ent 



scrambling effect provided by the processes described 
above. Specifically, after an input signal or an exponent 
is divided, the order of the calculation steps is changed 
in the subsequent operation. This technique can be ap- 
pliedtothe preferred embodiments of the present inven- 
tion described above. 

[0194] Figs. ISA and 15B show a method for chang- 
ing the order of calculation steps for each iteration after 
input data is divided in the modular exponentiation y^x 
mod n. Both figures are actuallyjoined together at points 
(A) and (B) in thef igures to form an entire flowchart. This 
example can be regarded as a further transformation 
calculation of the above example in Fig, 5. 
[0195] The processing is started at step 1500. 

(1 ) At step 1 601 , a table is created in order to carry 
out processing of two bits at one time. The table Is 
set to indicate that A[0]=1, A[1]=y, A[2]=y^2 mod n, 
and A[3]=y^3 mod n. 

(2) A variable S for storing a calculation result is in- 
itialized so that 8=1 at step 1 624. 

(3) A random number R for scrambling input data 
and a random number v (0 or 1 ) for randomly deter- 
mining which branch to follow are generated. In this 
case, pseudorandom numbers may be used to pro- 
vide the above random number R and random 
number v for branching, (step 1 603) 

(4) It is determined whether the last two bits of x 
have been checked at step 1604. Then, it is deter- 
mined whether the value of each bit block (two bits) 
of X is "GO", "01", "10", or "11" at step 1605. 1606. 
1607. or 1608. Based on the above detennination, 
it is determined whether A[0], A[1], A[2], or A[3] is 
to be divided. 

(5) Furthemnore, depending on whether the value 
of v is 1 , it is detemnined whether or not to reverse 
the order of the subsequent restoration steps, at 
step 1609, 1610, 1611, or 1612. 

(6) Based on the above detenninations as to the val- 
ue of the bit block and the value of v, the following 
restoration operations are performed, (steps 1613, 
1614, 1615, 1616, 1617, 1618, 1619, and 1620) B 
[0]=A[j] AND R and B[1]=A[j] AND -R, where 
j=0,1,2,3. 

(7) The final operation result S is obtained after the 
following three operations. 

S=S'B[0] mod n (step 1621) 
S=S'B[1] mod n (step 1622) 
S=S1+S2 mod n (step 1623) (which is an addi- 
tion operation on the above two operation re- 
sults) 

(8) After making sure that the last two bits of x have 
been checked at step 1 604, the calculation is ended 
at step 1624. 

[0196] This process further adds information neces- 
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sary to infer the internal processing contents fronn the 
consunned currents observed. As a result, the inference 
becomes more difficult. 

[01 97] Also in the case of division of an exponent, the 
current scrambling effect can be enhanced by randomly 
detemnining the order of process steps after the division. 
Figs. 16A and 16B show an example of this method. 
Both figures are actually joined together at points (A), 
(B), and (C) in the figures to fomn an entire flowchart. 
There are a variety of methods tor changing the order 
of process steps. Some of them are illustrated below. 
[01 98] The following calculations are performed in the 
process shown in Figs. 1 6A and 1 6B. This example can 
be regarded as a further transformation calculation of 
the above example in Figs. 7A and 78. 

(1) The processing is started at step 1700. At step 
1701, a table is created in order to carry out 
processing of two bits at one time. 

(2) The variables S[0] and S[1 ] are initialized so that 
S[0]=1 and S[1]=1 at step 1712. The details of the 
above two steps were already explained. 

(3) At step 1 702, a random number R forscrambling 
is generated to divide an exponent x. A pseudoran- 
dom number may be used as the above random 
number R. 

(4) At step 1 703, the exponent x is divided into two 
divided exponents t[0J and t[1] as follows. 

t[0]=x AND R and t[1 ]=x AND -R. where -R is the bit 
inverse of R. 

Alternatively, as illustrated above, the exponent x 
can be divided by the equation t[1]=x-t[0], where t 
[0] is a random number equal to or less than x. 

(5) It is detenmined whether all bits of x have been 
checked at step 1704. 

(6) If not all bits of x have been checked, a random 
number v (0 or 1 ) for branching is generated at step 
1702. 

(7) At step 1706, it is determined whether this ran- 
dom number v for branching is 0 or 1 . 

(B) Based on the value of v, the order of the subse- 
quent process steps are changed at steps 17.07 
and 1709. 

Specifically, if v=0, t[0] is first processed at 
step 1 707, and then t[1 ] is processed at step 1 708. 
If v=1 , on the other hand, t[1] is first processed at 
step 1 709, and then t[0] is processed at step 1 71 0. 

(9) In either case, after all bits of t[0] and t[1] are 
checked, modular multiplication of S[0] and S[1], 
that is, the operation S[orS[1] mod n is pertonned 
at step 1711. 

(1 0) This calculation result givesthe proper encrypt- 
ed data at step 1 71 3. It should be noted that Fig. 1 7 
shows th details of a modular multiplication routine 
for every two bits of the exponent employed in the 
process of Fig. 16B. 

[0199] At step 1800, a signal Is input, and the opera- 



tion S[j]=S[j]M mod n is performed. 
[0200] Each bit block (two bits) of input tC) is exam- 
ined. Depending on whether the bit block is "00", "01", 
"10". or "ir, a modular multiplication of SI andA[0]. A 

5 [1], A[2], or A[3] is performed respectively. That is, S[j] 
=srA[j] mod n, where j=0,1 ,2,3. The calculation result 
S[j] is output. This process makes it impossible to infer 
the order of the wavefomn of each consumed current. 
As a result, it becomes difficult to derive the bit pattern 

10 of x from the currents. 

[0201] Fig. 18 shows another method for randomly 
detennining the order of exponent processing steps af- 
ter the exponent is divided. This example is different 
from that shown in Figs. 1 6A and 1 6B. 

15 [0202] The process flow in Fig. 18 proceeds as fol- 
lows. 

(1) The processing is started at step 1 900. At step 
1901, a table is created in order to carry out 

^0 processing of two bits at one time. 

(2) The variables S[0] and S[1] for storing calcula- 
tion results are initialized at step 1902. The details 
of the above two steps were already explained. 

(3) At step 1 903, a random number R for scrambling 
25 equal to or less than x is generated to divide an ex- 
ponent X. A pseudorandom number may be used 
as the above random number R. 

(4) At step 1904, the exponent x is divided into two 
divided exponents t[0] and t[1] as follows. t[0]=R 

30 andt[1]=x-R 

Alternatively, as illustrated above, the exponent x 
can be divided by the equations t[0]=x AND R and 
t[1]=x AND -R, where R is a random number. 

(5) It is determined whether all bits of x have been 
35 checked at step 1 905. 

(6) If not all bits of x have been checked, it is further 
determined whether all bits of t[0] and/or t[1] have 
been checked. If only t[0] has been completely 
checked, t[1] continues to be checked. If only t[1] 

40 has been completely checked, on the other hand, t 
[0] continues to be checked. If neither t[0] nor t[1] 
has been completely checked, the process flow pro- 
ceeds to steps in which a branch to follow is ran- 
domly determined, (step 1906) 

45 (7) At step 1 907, a random number v (0 or 1 ) is gen- 
erated in order to determine which branch to follow. 
And it is determined whether the generated random 
number v is 0 or 1 at step 1908. 

(8) If the random number v is 0, t[0] is checked at 
50 step 1 909. If it is 1 , on the other hand, t[1 ] is checked 

at step 1910. 

(9) In either case, after all bits of both t[0] and t[1] 
are checked, modular multiplication of S[0] and S 
[1], that is, the operation S[orS[1] mod n is per- 

55 formed at step 1 911 . 

(1 0) This calculation result givesthe proper encrypt- 
ed data at step 1912. 
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[0203] In the former method for randomly determining 
the order of the process steps, a bit block of t[0] and a 
bit block of t[1 ] are alternately checked regardless of the 
value of V. However, this method for randomly determin- 
ing the order does not impose such a restriction. This is 5 
a significant difference between them. 
[0204] It should be noted that the details of the mod- 
ular multiplication routine for every two bits of the expo- 
nent shown in Fig. 17 are also applied to each modular 
multiplication routine employed in the process of Fig. 1 8. 
[0205] This process makes it impossible to infer the 
order of the waveform of each consumed current. As a 
result, it becomes difficult to derive the bit pattern of x 
from the currents. 

[0206] Next, description will be made of a method for 
randomly determining the order of process steps using 
a scalar multiple k of a point P on an elliptic curve. This 
method is similar to the above method using modular 
multiplication. Fig. 1 9 shows the algorithm which is sim- 
ilar to that shown in Fig. 18. It goes without saying that 
the present method can be applied to a structure similar 
to that shown in Fig. 16. 

[0207] The process flow shown in Fig. 19 proceeds 
as follows. 

(1 ) At step 2001 , a table is created in order to carry 
out processing of two bits at one time. 

(2) The variables S[0] and S[1 ] are initialized at step 
2002. 

The details of the above two steps were al- 
ready explained. 

(3) To divide a scalar k, a random number R equal 
to or less than k is generated at step 2003. A pseu- 
dorandom number may be used as the above ran- 
dom number R. 

(4) At step 2004, the scalar k is divided into two di- 
vided scalars t[0] and t[1] as follows. 

t[0]=R 



t[1]=k-R 

Alternatively, as illustrated above, the scalar k can 
be divided by the equations l[0]=k AND R and t[1] 
=k AND -R, where R is a random number and -R 
is the bit inverse of R. 

(5) It is determined whether all bits of k have been 
checked at step 2005. 

(6) If not all bits of k have been checked, it is deter- 
mined whether all bits of t[0] and/or t[1] have been 
checked at step 2006. 

(7) If only t[0] has been completely checked, t[1] 
continu sto be checked. If only t[1] has been com- 
pletely checked, on the other hand, t[0] continues 
to be checked. It neither t[0] nort[1] has been com- 
pletely checked, the process flow proceeds to steps 



In which a branch to follow is randomly determined, 
(step 2006) 

(8) At step 2007, a random number v (0 or 1 ) is gen- 
erated in order to detemnine which branch to follow. 

(9) It is determined whether the generated random 
number v is 0 or 1 at step 2008. 

(1 0) If the random number v is 0, t[0] is checked at 
step 2009. If it is 1 . on the other hand, t[1 ] is checked 
at step 2010. 

(11) In either case, after all bits of both t[0] and t[1] 
are checked, modular multiplication of S[0] and S 
[1] is perfonned at step 2011 . 

(1 2) This calculation result gives the proper encrypt- 
ed data at step 2012. 

[0208] Fig. 20 shows the details of the scalar multipli- 
cation routine for every two bits of a scalar shown in Fig. 
19. 

[0209] Specifically, depending on whether the value 
of each bit block (two bits) of input tij] is "00", "01 "10", 
or "11 addition of SI and P[0], P[1], Pt2], or P[3] on an 
elliptic curve is performed respectively. Then, the calcu- 
lation result S[j] is output. This process makes it impos- 
sible to infer the order of the waveform of each con- 
sumed current. As a result, it becomes difficult to derive 
the bittern of k from the currents. 
[0210] As illustrated above, the gist of the technical 
idea of an embodiment according to the present inven- 
tion is to divide the bits of an exponent or a scalar to be 
processed into bit blocks so that the order of the 
processing of each bit block can be changed. As a re- 
sult, the bit pattern looks to the current observer as if it 
were randomly changed. 

[021 1 ] There is a technique for changing a processing 
order other than the methods described above. For ex- 
ample, in the above embodiments, the exponent and the 
scalar are each split into two portions only. It should be 
noted, however, that they can each be split into three or 
four portions as well and, in order to generate a random 
number, a technique such as a quasi-periodic sequence 
or a chaotic sequence can be adopted. While the ran- 
dom numbers described so far can be regarded as ran- 
dom numbers of a periodical number series with a large 
period, random numbers pertaining to a series with a 
small period can also be used. 

[0212] As is obvious from the above description, at an 
abstract level, the concept provided by the present in- 
vention for the modular exponentiation is exactly the 
same as the concept for the addition on an elliptical 
curve. It is natural to abstract the concepts into a level 
of abstraction beyond actual implementations. 
[0213] In the embodtmentfor carrying out the modular 
exponentiation and the addition of points on an elliptical 
curve with modulo of n described above, if the process- 
ing to compute a product and the processing to comput 
a sum are denoted by a generic symbolO, the flowcharts 
representing these pieces of proc ssing become entire- 
ly identical with each other. They include the modular 
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exponentiation as well as connputation of a scalar mul- 
tiple of a point on an elliptical curve and are effective for 
processing having a similar algebraic structure. 
[0214] As described above in detail, in accordance 
with the preferred ennbodiments of the present inven- 
tion, in an IC card chip, data is processed by splitting 
the data into portions processed in separate processes. 
Finally, results produced by the processes are integrat- 
ed to give a correct end result. In addition, by varying 
an encryption key in a way not affecting the resutt, it be- 
comes difficultto inferthe processing and the encryption 
key from the wavefomri of a consumed current. 
[021 5] Embodiments of the present invention can pro- 
vide a tamper-resistant information device for use with 
the IC card, etc. having high security. 
[0216] The technical features of embodiments ac- 
cording to the present invention are described below. 

1 . A card comprising: means for Inputting a signal; 
a storage unit for storing a program; an operation 
unit for performing predetermined data processing 
according to a program; and means for outputting 
a signal; wherein the program stored in the above 
storage unit includes one or more data processing 
instructions giving an execution direction to the op- 
eration unit; whereby when the signal input from the 
above data inputting means is subjected to data 
processing, at least one of the above data process- 
ing instructions instructs calculation of the expres- 
sion AOB to be performed, where (and hereinafter) 
the characters "A" and "B" each denote a signal and 
the symbol denotes a given operation, the 
above calculation including the steps of: arbitrarily 
dividing the above signal A into pieces A[1], A[2], 
and A[m], where A=A[1]+A[2]+...+A[m] and m is an 
integer equal to or more than 1; arbitrarily dividing 
the above signal B Into pieces B[1], B[2], and B 
[n], where B=B[1]+B[2]+...+B[n] and n is an integer 
equal to or more than 1 ; by using the above pieces 
A[1], A[2], and A[m], and the above pieces B[1], 
B[2], and B[n], performing the operation LA[i]0 
B[j], where t=1 , and m, and j=1 , and n. 
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whereby when the signal input from said data 
inputting means is subjected to data process- 
ing, at least one of said data processing instruc- 
tions instructs calculation of the expression 
AOB to be performed, where (and hereinafter) 
the characters "A" and "B" each denote a signal 
and the symbol "O* denotes a given operation, 
said calculation including at least one of the 
steps of: 

(1) arbitrarily dividing said signal A into 
pieces A[1], A[2], and A[n], where A=A 
[1 ]-i-A[2]+...+A[n] and n is an integer; by us- 
ing said pieces A[1], A[2], and A[n], and 
said signal B, calculating each of the equa- 
tions B[1]=A[1]0 B, B[2]=A[2]0 B, and 
B[n]=A[n]OB to obtain B[1], B[2], and B 
[n], separately; andperfonningthe addition 
operation B[1]+B[2]+.,.+B[n], where n is an 
integer equal to or more than 1 ; 

(2) arbitrarily dividing said signal B into 
pieces B[1], B[2], and B[n], where B=B 
[1]-i-B[2]-i-...+B[n] and n is an integer equal 
to or more than 1 ; by using said signal A 
and said pieces B[1], B[2], .... and B[n], cal- 
culating each of the equations A[1]=AOB 
[1], A[2]=ACe[2], and A[n]=AOB[n] to 
obtain A[1], A[2], and A[n], separately; 
and performing the addition operation A[1 ] 
+A[2]+...+A[n]. where n is an integer equal 
to or more than 1 ; and 

(3) arbitrarily dividing said signal A into 
pieces A[1], A[2], and A[m], where A=A 
[1 ]+A[2]+...+A[m] and m is an integer equal 
to or more than 1 ; arbitrarily dividing said 
signal B into pieces B[1], B[21, .... and B[n], 
where B=B[1]+B[2]+...-i-B[n] and n is an in- 
teger; by using said pieces A[1], A[2] 
and A[m], and said pieces B[1], B[2], 
and B[n], performing the operationSA[i]0 B 
[j], where l=V .... and m, andj=1 , ...,andn. 

2. An information processing device comprising: 



Claims 



An information processing device comprising: 

means for inputting a signal; 
a storage unit (204) for storing a program (205); 
an operation unit (201 , 202) for perfonning pre- 
determined data processing according to a pro- 
gram; (205) and 
means for outputting a signal; 
wherein the program (205) stored in said stor- 
age unit (204) includes one or more data 
processing instructions giving an execution di- 
rection to the operation unit (201 , 202); 



45 means for inputting a signal; 

a storage unit (204) for storing a program (205); 
storage means for storing a result of a prede- 
termined calculation; 

an operation unit (201 , 202) for performing pre- 
50 detemnined data processing according to a pro- 

gram (205); and 
means for outputting a signal; 
wherein the program (205) stored in said stor- 
age unit (204) includes one or more data 
55 processing instructions giving an xecution di- 

rection to the operation unit; 201, 202) 
whereby when the signal input from said data 
inputting means is subjected to data process- 
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ing, at least one of said data proc ssing instruc- 
tions instructs calculation of the expression A^k 
to be perfomned, where (and hereinafter) the 
characters "A" and "k" each denote a signal, 
and A'^k^ACAO.-.O A (the right side of the 5 
equation including k number of A's and "k-1" 
number of "0"s, which each denote an opera- 
tion), said calculation including the steps of: 

arbitrarily dividing said signal k into pieces io 

k[1], k[2], k[3], and k[n], where k=k[1]+k 

[2]+k[3]+...+k[n], and n is an integer; 

by using said signal A and said pieces k[1 ], 

k[2], k[3], and k[n], calculating each of 

the equations h[1]=A^k[1] , h[2]=A^k 15 

[2] , and h[n]=AAk[n] to obtain h[1], h 5. 

[2] and h[n]. separately; and 

calculating the expression A^k by the 
equation A^k=h[1]Oh[2] O ... Oh[n], where 
n is an integer equal to or more than 1 . 

3. An infornnation processing device comprising: 

means for inputting a signal; 

a storage unit (204) for storing a program (205); 25 
a storage means for storing a result of a prede- 6. 
term in ed calculation; 

an operation unit (201 , 202) for performing pre- 
determined data processing according to a pro- 
gram; and 50 
means for outputting a signal; 
wherein the program (205) stored in said stor- 
age unit (204) includes one or more data 7. 
processing instructions giving an execution di- 
rection to the operation unit (201 , 202); 35 
whereby when the signal input from said data 
inputting means is subjected to data processing 
in which the expression A^x is to be calculated, 
where the characters "A" and "x" each denote 
a signal and A^x= AOA O... O A (the right side 40 
of the equation including x number of A's and 
"x-1 " number of "0"s, which each denote an op- 
eration), at least one of said data processing 
instructions instructs calculation of the expres- 
sion A^(x+T) to be perfomned instead, where ^5 
A^T=e (the character e indicating an identity el- 8. 
ement). 

4. An information processing method which lets plain- 
text on an information transmitting side and key in- 50 
formation on an information receiving side be ele- 
ments A and k, respectively, in a semigroup S' 
adopted by said information processing method, 
wherein said method perfomns calculation of the ex- 
pression A^k, where A^k=AAAA ... AA (the right side 55 

of the equation including k number of A's and "k-V 9. 
number of "A"s, which each denote an operation in 
the semigroup S'), said calculation comprising the 



steps of: 

arbitrarily dividing k into pieces k[1], k[2], k 

[3] and k[n], where k=k[1]+k[2]+k[3]-i-...k[n], 

and n is an integer; 

by using said plaintext A and said pieces k[1], 
k[2], k[3], .... and k[n], calculating each of the 
equations h[1]=AAk[1]. h[2]=A^k[2], and h[n] 
=A^k[n] to obtain h[1], h[2], and h[n], sepa- 
rately; and 

calculating the expression A^k by the equation 
A^k=h[1]A h[2]A...A h[n], where the symbol "A" 
denotes an operation in the semigrouip S' and 
n is an integer equal to or more than 1 . 

The infonnation processing method as claimed in 
claim 4, wherein said S, S', or S" is a communicative 
ring (also a semigroup) of residue classes modulo 
N, where N is a positive integer; the addition oper- 
ation "-»-" is addition modulo N, that is, A+B=(A+B) 
mod N; and said multiplication operationO, the op- 
erationA, or the operation 0 is a multiplication resi- 
due operation modulo N, that is, AO B=A'B mod N, 
AAB=A*B mod N, or AOB=A*B mod N. 

The information processing method as claimed in 
claim 4, wherein said S, S', or S" is a Mordell-Weil 
group G (E/Fq) for an elliptic curve E in a finite field 
Fq, where q=p^n and p is a characteristic (a prime 
number), and said operation A or the operation 0 is 
addition in the Mordell-Weil group G (E/Fq). 

A information processing method which lets plain- 
text on an information transmitting side and key in- 
formation on an information receiving side be ele- 
ments A and x, respectively, in a monoid S" (a sem- 
igroup having an Identity element e) adopted by 
said information processing method, wherein when 
the expression A^x is to be calculated, where A^x= 
AOAO... OA (the right side of the equation including 
X number of A's and "x-1 " number of "0"s, which 
each denote an operation in the monoid S"), said 
method performs calculation of the expression A^ 
(x+T) instead, where A'^T=e. 

The infonnation processing method as claimed in 
claim 7, wherein said S, S', or S" is a communicative 
ring (also a semigroup) of residue classes modulo 
N, where N is a positive integer; the addition oper- 
ation is addition modulo N, that is, A+B=(A+B) 
mod N; and said multiplication operationO, the op- 
erationA, or the operation 0 is a multiplication resi- 
due operation modulo N, that is, AO B=A*B mod N, 
AAB=A*B mod N, or AOB:=A*B mod N. 

The infornnation processing method as claimed in 
claim 7, wherein said S, S', or S" is a Mordell-Weil 
group G (E/Fq) for an elliptic curve E in a finite field 
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Fq, where q=p'^n and p is a characteristic (a prime 
number), and said operation A or the operation 0 is 
addition in the Mordeil-Weil group G (E/Fq). 
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